Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PVUfopbGfc.exe

Overview

General Information

Sample name:PVUfopbGfc.exe
renamed because original name is a hash value
Original sample name:402aacbb8dc07d96733eee2292f709d89d65efbe82d55e0dd4b7764cdde287b5.exe
Analysis ID:1524840
MD5:249ed615e8b43896fffd3cb3755c7a0a
SHA1:1b28a72f6746ad76f7b25ab767ce7b775282fbeb
SHA256:402aacbb8dc07d96733eee2292f709d89d65efbe82d55e0dd4b7764cdde287b5
Tags:AciraConsultingIncexeuser-JAMESWT_MHT
Infos:

Detection

Score:54
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:51
Range:0 - 100

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected UAC Bypass using CMSTP
Found direct / indirect Syscall (likely to bypass EDR)
Modifies the DNS server
NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
Queries sensitive system registry key value via command line tool
Reads the Security eventlog
Reads the System eventlog
Suspicious powershell command line found
Uses cmd line tools excessively to alter registry or file data
Uses netsh to modify the Windows network and firewall settings
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to communicate with device drivers
Contains functionality to delete services
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read device registry values (via SetupAPI)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates driver files
Creates files inside the driver directory
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Enables driver privileges
Enables security privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
One or more processes crash
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries device information via Setup API
Queries disk information (often used to detect virtual machines)
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries the installation date of Windows
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Tap Installer Execution
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Process Tree

  • System is w10x64
  • PVUfopbGfc.exe (PID: 5564 cmdline: "C:\Users\user\Desktop\PVUfopbGfc.exe" MD5: 249ED615E8B43896FFFD3CB3755C7A0A)
    • PVUfopbGfc.tmp (PID: 2788 cmdline: "C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp" /SL5="$10438,20382094,735744,C:\Users\user\Desktop\PVUfopbGfc.exe" MD5: 259E3EE4646FC251C3513EEF2683479F)
      • cmd.exe (PID: 5548 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\FastestVPN\Resources\driver\install_tap.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 5804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7100 cmdline: reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
        • find.exe (PID: 5512 cmdline: find /i "x86" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
        • cmd.exe (PID: 2228 cmdline: C:\Windows\system32\cmd.exe /c ver MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • tapinstall.exe (PID: 3716 cmdline: tapinstall.exe remove tap0901 MD5: E313336C82EB265542664CC7A360C5FF)
        • tapinstall.exe (PID: 7160 cmdline: tapinstall.exe install OemVista.inf tap0901 MD5: E313336C82EB265542664CC7A360C5FF)
      • cmd.exe (PID: 2128 cmdline: "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\FastestVPN\Resources\sp\install_sp.bat"" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • sc.exe (PID: 3148 cmdline: sc stop fastestvpndriver MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
          • conhost.exe (PID: 1080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 6128 cmdline: reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
        • find.exe (PID: 4852 cmdline: find /i "x86" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
        • reg.exe (PID: 5436 cmdline: reg QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" MD5: 227F63E1D9008B36BDBCC4B397780BE4)
        • find.exe (PID: 6204 cmdline: find /i "Windows 7" MD5: 4BF76A28D31FC73AA9FC970B22D056AF)
        • xcopy.exe (PID: 6420 cmdline: xcopy /y driver\windows8\amd64\fastestvpndriver.sys C:\Windows\system32\drivers MD5: 39FBFD3AF58238C6F9D4D408C9251FF5)
        • nfregdrv.exe (PID: 3032 cmdline: release\nfregdrv.exe -u fastestvpndriver MD5: 9333F583E2D32A47276DCEC7C2391FD2)
        • nfregdrv.exe (PID: 6308 cmdline: release\nfregdrv.exe fastestvpndriver MD5: 9333F583E2D32A47276DCEC7C2391FD2)
      • sc.exe (PID: 6024 cmdline: "C:\Windows\system32\sc.exe" stop FastestVPNService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 6784 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • FastestVPN.WindowsService.exe (PID: 1532 cmdline: "C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe" --uninstall MD5: 22D4E4267DFE093E5E23C2F3D7741AA4)
        • WerFault.exe (PID: 6172 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1076 MD5: C31336C1EFC2CCB44B4326EA793040F2)
      • sc.exe (PID: 2452 cmdline: "C:\Windows\system32\sc.exe" delete FastestVPNService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • FastestVPN.WindowsService.exe (PID: 4256 cmdline: "C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe" --install MD5: 22D4E4267DFE093E5E23C2F3D7741AA4)
      • subinacl.exe (PID: 3184 cmdline: "C:\Program Files\FastestVPN\subinacl.exe" /service FastestVPNService /GRANT=everyone=TO MD5: 4798226EE22C513302EE57D3AA94398B)
        • conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • sc.exe (PID: 3924 cmdline: "C:\Windows\system32\sc.exe" start FastestVPNService MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
        • conhost.exe (PID: 576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • ComDebug.exe (PID: 1164 cmdline: "C:\Program Files\FastestVPN\Resources\ComDebug.exe" MD5: 850A43E323656B86AE665D8B4FD71369)
        • netsh.exe (PID: 6572 cmdline: C:\Windows\SysWOW64\netsh.exe MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
          • conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • FastestVPN.exe (PID: 6500 cmdline: "C:\Program Files\FastestVPN\FastestVPN.exe" MD5: 01CF6EF766C41BB2C99A2CCCDECC69C1)
  • svchost.exe (PID: 4180 cmdline: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • drvinst.exe (PID: 5864 cmdline: DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "c:\program files\fastestvpn\resources\driver\windows10\amd64" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
    • drvinst.exe (PID: 2360 cmdline: DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.2.601:tap0901," "4d14a44ff" "0000000000000158" MD5: 294990C88B9D1FE0A54A1FA8BF4324D9)
  • svchost.exe (PID: 1568 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 4676 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • WerFault.exe (PID: 1520 cmdline: C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1532 -ip 1532 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • FastestVPN.exe (PID: 6220 cmdline: "C:\Program Files\FastestVPN\FastestVPN.exe" -autorun MD5: 01CF6EF766C41BB2C99A2CCCDECC69C1)
    • powershell.exe (PID: 2360 cmdline: "powershell" -windowstyle hidden get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 2804 cmdline: C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • svchost.exe (PID: 1200 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • FastestVPN.WindowsService.exe (PID: 3656 cmdline: "C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe" MD5: 22D4E4267DFE093E5E23C2F3D7741AA4)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files\FastestVPN\Resources\is-7E4EB.tmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    C:\Program Files\FastestVPN\Resources\is-7E4EB.tmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
    • 0x339057:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
    • 0x33db63:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
    • 0x3e5f06:$s1: CoGetObject

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
      Process Memory Space: PVUfopbGfc.tmp PID: 2788JoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Startup Folder File Write
        Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp, ProcessId: 2788, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FastestVPN.lnk
        Sigma detected: Suspicious Copy From or To System Directory
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: xcopy /y driver\windows8\amd64\fastestvpndriver.sys C:\Windows\system32\drivers, CommandLine: xcopy /y driver\windows8\amd64\fastestvpndriver.sys C:\Windows\system32\drivers, CommandLine|base64offset|contains: ), Image: C:\Windows\System32\xcopy.exe, NewProcessName: C:\Windows\System32\xcopy.exe, OriginalFileName: C:\Windows\System32\xcopy.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\FastestVPN\Resources\sp\install_sp.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2128, ParentProcessName: cmd.exe, ProcessCommandLine: xcopy /y driver\windows8\amd64\fastestvpndriver.sys C:\Windows\system32\drivers, ProcessId: 6420, ProcessName: xcopy.exe
        Sigma detected: Tap Installer Execution
        Source: Process startedAuthor: Daniil Yugoslavskiy, Ian Davis, oscd.community: Data: Command: tapinstall.exe remove tap0901, CommandLine: tapinstall.exe remove tap0901, CommandLine|base64offset|contains: , Image: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe, NewProcessName: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe, OriginalFileName: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe, ParentCommandLine: "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\FastestVPN\Resources\driver\install_tap.bat"", ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 5548, ParentProcessName: cmd.exe, ProcessCommandLine: tapinstall.exe remove tap0901, ProcessId: 3716, ProcessName: tapinstall.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell" -windowstyle hidden get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID, CommandLine: "powershell" -windowstyle hidden get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID, CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\FastestVPN\FastestVPN.exe" -autorun, ParentImage: C:\Program Files\FastestVPN\FastestVPN.exe, ParentProcessId: 6220, ParentProcessName: FastestVPN.exe, ProcessCommandLine: "powershell" -windowstyle hidden get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID, ProcessId: 2360, ProcessName: powershell.exe
        Sigma detected: Windows Processes Suspicious Parent Directory
        Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall, ProcessId: 4180, ProcessName: svchost.exe

        Suricata Signatures

        No Suricata rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for dropped file
        Source: C:\Program Files\FastestVPN\Resources\desktop_drop_plugin.dll (copy)ReversingLabs: Detection: 62%
        Source: C:\Program Files\FastestVPN\Resources\is-O850J.tmpReversingLabs: Detection: 62%
        Multi AV Scanner detection for submitted file
        Source: PVUfopbGfc.exeReversingLabs: Detection: 21%

        Exploits

        barindex
        Yara detected UAC Bypass using CMSTP
        Source: Yara matchFile source: 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: PVUfopbGfc.tmp PID: 2788, type: MEMORYSTR
        Source: Yara matchFile source: C:\Program Files\FastestVPN\Resources\is-7E4EB.tmp, type: DROPPED

        Compliance

        barindex
        Uses 32bit PE files
        Source: PVUfopbGfc.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Found installer window with terms and condition text
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Terms of ServiceThis is an agreement between you and FastestVPN.com for virtual private network communications services related services and features. It is NOT a service for the commission of criminal acts. It is an anonymity and privacy service. You agree not to violate any laws of any jurisdiction you are originating from or terminating into.You agree to protect your user id/password and our system from unauthorized use. You are responsible for all actions that occur on our servers where the login uses your user id/password.You agree not to use the system for sending spam port scanning scanning for open proxies or open relays sending opt-in email unsolicited email or any type or version of email sent in large quantities even if the email is ultimately sent off of another server. You agree not to launch any pop-ups from our service. You agree not to attack in any way shape or form any other computer or network while on our service.Actual service coverage speeds locations and quality may vary. The Service will attempt to be available at all times except for limited periods for maintenance and repair. However the Service may be subject to unavailability for a variety of factors beyond our control including emergencies third party service failures transmission equipment or network problems or limitations interference signal strength and may be interrupted refused limited or curtailed. We are not responsible for data messages or pages lost not delivered delayed or misdirected because of interruptions or performance issues with the Service or communications services or networks (e.g. T-1 lines or the Internet). We may impose usage or Service limits suspend Service or block certain kinds of usage in our sole discretion to protect users or the Service. Network speed is an estimate and is no indication of the speed at which your or the Service sends or receives data. Actual network speed will vary based on configuration compression network congestion and other factors. The accuracy and timeliness of data received is not guaranteed; delays or omissions may occur.We do not log any user activity (sites visited DNS lookups emails etc.) We only log access attempts to our servers (for security and troubleshooting). We do not get involved in any form of censorship. We do not give your personal info to any third parties. We do not cooperate with any requests for information unless we are ordered by a court of competent jurisdiction and the vast majority of these requests would not be from a court of competent jurisdiction. We will protect you to the max and our system is setup to automatically do so. There are hundreds of good reasons for being anonymous and we respect them fully.Hacking cracking distribution of viruses fraudulent activities network sa
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Terms of ServiceThis is an agreement between you and FastestVPN.com for virtual private network communications services related services and features. It is NOT a service for the commission of criminal acts. It is an anonymity and privacy service. You agree not to violate any laws of any jurisdiction you are originating from or terminating into.You agree to protect your user id/password and our system from unauthorized use. You are responsible for all actions that occur on our servers where the login uses your user id/password.You agree not to use the system for sending spam port scanning scanning for open proxies or open relays sending opt-in email unsolicited email or any type or version of email sent in large quantities even if the email is ultimately sent off of another server. You agree not to launch any pop-ups from our service. You agree not to attack in any way shape or form any other computer or network while on our service.Actual service coverage speeds locations and quality may vary. The Service will attempt to be available at all times except for limited periods for maintenance and repair. However the Service may be subject to unavailability for a variety of factors beyond our control including emergencies third party service failures transmission equipment or network problems or limitations interference signal strength and may be interrupted refused limited or curtailed. We are not responsible for data messages or pages lost not delivered delayed or misdirected because of interruptions or performance issues with the Service or communications services or networks (e.g. T-1 lines or the Internet). We may impose usage or Service limits suspend Service or block certain kinds of usage in our sole discretion to protect users or the Service. Network speed is an estimate and is no indication of the speed at which your or the Service sends or receives data. Actual network speed will vary based on configuration compression network congestion and other factors. The accuracy and timeliness of data received is not guaranteed; delays or omissions may occur.We do not log any user activity (sites visited DNS lookups emails etc.) We only log access attempts to our servers (for security and troubleshooting). We do not get involved in any form of censorship. We do not give your personal info to any third parties. We do not cooperate with any requests for information unless we are ordered by a court of competent jurisdiction and the vast majority of these requests would not be from a court of competent jurisdiction. We will protect you to the max and our system is setup to automatically do so. There are hundreds of good reasons for being anonymous and we respect them fully.Hacking cracking distribution of viruses fraudulent activities network sa
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Terms of ServiceThis is an agreement between you and FastestVPN.com for virtual private network communications services related services and features. It is NOT a service for the commission of criminal acts. It is an anonymity and privacy service. You agree not to violate any laws of any jurisdiction you are originating from or terminating into.You agree to protect your user id/password and our system from unauthorized use. You are responsible for all actions that occur on our servers where the login uses your user id/password.You agree not to use the system for sending spam port scanning scanning for open proxies or open relays sending opt-in email unsolicited email or any type or version of email sent in large quantities even if the email is ultimately sent off of another server. You agree not to launch any pop-ups from our service. You agree not to attack in any way shape or form any other computer or network while on our service.Actual service coverage speeds locations and quality may vary. The Service will attempt to be available at all times except for limited periods for maintenance and repair. However the Service may be subject to unavailability for a variety of factors beyond our control including emergencies third party service failures transmission equipment or network problems or limitations interference signal strength and may be interrupted refused limited or curtailed. We are not responsible for data messages or pages lost not delivered delayed or misdirected because of interruptions or performance issues with the Service or communications services or networks (e.g. T-1 lines or the Internet). We may impose usage or Service limits suspend Service or block certain kinds of usage in our sole discretion to protect users or the Service. Network speed is an estimate and is no indication of the speed at which your or the Service sends or receives data. Actual network speed will vary based on configuration compression network congestion and other factors. The accuracy and timeliness of data received is not guaranteed; delays or omissions may occur.We do not log any user activity (sites visited DNS lookups emails etc.) We only log access attempts to our servers (for security and troubleshooting). We do not get involved in any form of censorship. We do not give your personal info to any third parties. We do not cooperate with any requests for information unless we are ordered by a court of competent jurisdiction and the vast majority of these requests would not be from a court of competent jurisdiction. We will protect you to the max and our system is setup to automatically do so. There are hundreds of good reasons for being anonymous and we respect them fully.Hacking cracking distribution of viruses fraudulent activities network sa
        Creates a directory in C:\Program Files
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPNJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\unins000.datJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-9JV4C.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-FACJA.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-G27S6.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-36FVS.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-QRV6K.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-84KDK.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-VFKAQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-H78VV.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-7C1Q1.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-F4TDL.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-NVD5U.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-DP0EK.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-IPV6B.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-INOQ4.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-5F0FB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-08KKK.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-L76N9.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-28BDQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-08UCO.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-K8EEM.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-Q3SSJ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-7F3NE.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-2E77U.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-HV7DI.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-0QPA2.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-6DFPP.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-T0PEK.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-MSFM2.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-TM4NE.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-16JBJ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-0UVIJ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-G1K0R.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-3DN0E.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-54TNI.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-MVU9I.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-VG3QN.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-4DL4Q.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-ESVSH.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-A12DA.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-UCN4E.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-36F8B.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-QT2D6.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-FKERI.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-L7KIN.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-HLUIP.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-VPRG9.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-20AM3.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-BPNEB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\ResourcesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-6P3FR.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-O850J.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-6VF2K.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-Q6LK1.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-PN3F9.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-9JICR.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-7ILAT.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-CK5KH.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-QL74S.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-T26NQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-3J4SO.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-J64KK.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-83O8B.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-8LAO7.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-KM19Q.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-VFSD2.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-8JVLF.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-DN2OR.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-SGO7U.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-PA9AI.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-O73C0.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-Q54OD.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-1EFGP.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-RV0DT.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-164FL.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-28E9M.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-56J26.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-LOLBQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-VIT86.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-G9QJE.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-942TQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-B80D1.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-N1V1C.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-FJOGB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-RE19F.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-7E4EB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\dataJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\data\is-ADGAV.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\data\is-0H0F8.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\data\is-H10ET.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\data\is-ARL0G.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driverJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\is-CHAOM.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\is-AOAIR.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windowsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-N9GRR.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-IKS87.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-9VP29.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-BL4HS.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-HFF22.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-PB0U9.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-IVL3H.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-5T7N4.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-T2HN9.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-QQCFD.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-L35S6.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-03F1A.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-0NNL9.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-CTGSB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-S7TFV.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-7ND37.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-H7LPP.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-65EPS.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-QFN6K.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-M223I.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-VU56I.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-K6RGO.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-U2LBU.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-SFHT4.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\spJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\is-EAH1B.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\is-BC6TM.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driverJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\amd64Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\amd64\is-59VFL.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\i386Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\i386\is-5LPUL.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\amd64Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\amd64\is-A14JT.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\i386Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\i386\is-0T1HF.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\releaseJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\release\is-7K05F.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\release\is-187AR.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\ServiceJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-STPBV.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-9A2GQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-JH357.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-N8COH.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-4N4RA.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-SEDKF.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-8PJAJ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-93OID.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-DJ6NL.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-8LP97.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-UCOLB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-DEAN7.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-JCMQP.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-6NKFQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-BOM98.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-SAAPO.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-KPJ2D.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-7NCSV.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-KR8E2.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-9CU0N.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-C2DGA.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-UPKPF.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-0C2FG.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-HFT6T.tmpJump to behavior
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeDirectory created: C:\Program Files\FastestVPN\Service\InstallUtil.InstallLog
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeDirectory created: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.InstallLog
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeDirectory created: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.InstallState
        Creates a software uninstall entry
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastestVPN_is1Jump to behavior
        Creates install or setup log file
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeFile created: C:\Program Files\FastestVPN\Service\InstallUtil.InstallLog
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeFile created: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.InstallLog
        PE / OLE file has a valid certificate
        Source: PVUfopbGfc.exeStatic PE information: certificate valid
        Contains modern PE file flags such as dynamic base (ASLR) or NX
        Source: PVUfopbGfc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Binary contains paths to debug symbols
        Source: Binary string: System.Configuration.Install.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3011958094.0000000002A96000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ceProcess.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000C0D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4006176311.0000000001527000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4047258906.000000000C262000.00000002.00000001.01000000.0000002E.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.WindowsService\obj\Release\FastestVPN.WindowsService.pdbX source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.AspNet.SignalR.Core/Release/net45/Microsoft.AspNet.SignalR.Core.pdb@ source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\samuli\source\repos\tap-windows6\devcon\x64\Release\devcon.pdb source: tapinstall.exe, 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmp, tapinstall.exe, 0000000A.00000000.2467264537.00007FF798C94000.00000002.00000001.01000000.00000008.sdmp, tapinstall.exe, 0000000B.00000000.2472764567.00007FF798C94000.00000002.00000001.01000000.00000008.sdmp, tapinstall.exe, 0000000B.00000002.2531778440.00007FF798C94000.00000002.00000001.01000000.00000008.sdmp, is-H7LPP.tmp.1.dr
        Source: Binary string: mTC:\Windows\FastestVPN.WindowsService.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: C:\BuildAgent\work\da2c3d9512902c54\Tooling\obj\Release\System.Web.Cors\System.Web.Cors.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4012901383.0000000003B72000.00000002.00000001.01000000.00000049.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.WindowsService\obj\Release\FastestVPN.WindowsService.pdbe\FastestVPN.WindowsServic source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN\obj\Debug\VPN.pdbB3\3 N3_CorDllMainmscoree.dll source: FastestVPN.WindowsService.exe, 0000002F.00000002.4013966396.0000000003C42000.00000002.00000001.01000000.0000004B.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.Common\obj\Debug\VPN.Common.pdb source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000001E.00000002.3012856544.0000000004F32000.00000002.00000001.01000000.0000000F.sdmp
        Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4047412647.000000000C282000.00000002.00000001.01000000.0000002F.sdmp, is-3DN0E.tmp.1.dr
        Source: Binary string: /_/artifacts/obj/Microsoft.AspNet.SignalR.Core/Release/net45/Microsoft.AspNet.SignalR.Core.pdb@\cq^/_/artifacts/obj/Microsoft.AspNet.SignalR.Core/Release/net45/Microsoft.AspNet.SignalR.Core.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Windows\FastestVPN.WindowsService.pdbpdbice.pdb35 source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.AspNet.SignalR.Core/Release/net45/Microsoft.AspNet.SignalR.Core.pdbSHA256Z source: FastestVPN.WindowsService.exe, 0000001E.00000002.3013228401.0000000005312000.00000002.00000001.01000000.0000000E.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\exe\FastestVPN.WindowsService.pdbesm source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Microsoft.Owin.Cors.pdbSHA256 source: FastestVPN.WindowsService.exe, 0000002F.00000002.4012410200.0000000003B52000.00000002.00000001.01000000.00000047.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.AspNet.SignalR.Core.pdbJ source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.00000000008A8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: E:\nt\dnsrv\sdktools\reskit\content\subinacl\source\obj\i386\subinacl.pdb source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, subinacl.exe, subinacl.exe, 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, subinacl.exe, 0000002B.00000000.3029456952.0000000001001000.00000020.00000001.01000000.00000032.sdmp
        Source: Binary string: Microsoft.Owin.Cors.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4012410200.0000000003B52000.00000002.00000001.01000000.00000047.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.Common\obj\Release\FastestVPN.Common.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4009855225.0000000003722000.00000002.00000001.01000000.00000033.sdmp
        Source: Binary string: Microsoft.Owin.Diagnostics.pdbSHA256 source: FastestVPN.WindowsService.exe, 0000002F.00000002.4013460664.0000000003C12000.00000002.00000001.01000000.00000048.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN\obj\Debug\VPN.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4013966396.0000000003C42000.00000002.00000001.01000000.0000004B.sdmp
        Source: Binary string: C:\users\vagrant\buildbot\windows-server-2019-static-msbuild\openvpn\x64-Output\Release\openvpn.pdbttLnGCTL source: is-164FL.tmp.1.dr
        Source: Binary string: c:\Users\Junaid AK\Desktop\New folder (2)\SingleInstanceApplication\SingleInstanceApplication\obj\Release\SingleInstanceApplication.pdb source: FastestVPN.exe, 00000034.00000002.3106868206.0000000004E62000.00000002.00000001.01000000.00000012.sdmp
        Source: Binary string: Microsoft.Owin.Hosting.pdbSHA256d"M! source: FastestVPN.WindowsService.exe, 0000002F.00000002.4010652534.0000000003A42000.00000002.00000001.01000000.00000034.sdmp
        Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4047412647.000000000C282000.00000002.00000001.01000000.0000002F.sdmp, is-3DN0E.tmp.1.dr
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.OpenVpn\obj\Debug\VPN.OpenVpn.pdbRhlh ^h_CorDllMainmscoree.dll source: FastestVPN.WindowsService.exe, 0000002F.00000002.4014061839.0000000003C52000.00000002.00000001.01000000.0000004C.sdmp
        Source: Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Microsoft.AppCenter.Analytics.WindowsDesktop\Release\net472\Microsoft.AppCenter.Analytics.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4032653581.00000000065A2000.00000002.00000001.01000000.0000002B.sdmp, is-Q3SSJ.tmp.1.dr
        Source: Binary string: /_/artifacts/obj/Microsoft.AspNet.SignalR.Core/Release/net45/Microsoft.AspNet.SignalR.Core.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000001E.00000002.3013228401.0000000005312000.00000002.00000001.01000000.0000000E.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: c:\projects\projectsJ\nfsdk2_1.6\bin\release\win32\nfapi.pdb< source: nfregdrv.exe, 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmp, nfregdrv.exe, 0000001B.00000002.2548897423.0000000010019000.00000002.00000001.01000000.0000000A.sdmp
        Source: Binary string: Hardcodet.NotifyIcon.Wpf.pdbSHA256[ source: FastestVPN.exe, 00000021.00000002.4030148839.00000000062B2000.00000002.00000001.01000000.0000001F.sdmp
        Source: Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Microsoft.AppCenter.Crashes.WindowsDesktop\Release\net472\Microsoft.AppCenter.Crashes.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4032743479.00000000065B2000.00000002.00000001.01000000.0000002C.sdmp
        Source: Binary string: h:\projects\netfilter3\bin\Release\Win32\nfregdrv.pdb )0THi source: nfregdrv.exe, 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmp, nfregdrv.exe, 0000001A.00000000.2543194274.0000000000408000.00000002.00000001.01000000.00000009.sdmp, nfregdrv.exe, 0000001B.00000000.2548063602.0000000000408000.00000002.00000001.01000000.00000009.sdmp, nfregdrv.exe, 0000001B.00000002.2548485149.0000000000408000.00000002.00000001.01000000.00000009.sdmp
        Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdbSHA256x source: FastestVPN.exe, 00000021.00000002.4006176311.0000000001527000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4046582845.000000000BC82000.00000002.00000001.01000000.0000002D.sdmp
        Source: Binary string: \??\C:\Windows\FastestVPN.WindowsService.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\agent\_work\13\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: is-RE19F.tmp.1.dr
        Source: Binary string: $cqEC:\Program Files\FastestVPN\Service\Microsoft.AspNet.SignalR.Core.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\host_release\flutter_windows.dll.pdb source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceProcess.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\projects\projectsJ\nfsdk2_1.6\driver_wfp\Win8\Win8Release\x64\netfilter2.pdb source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, fastestvpndriver.sys.25.dr
        Source: Binary string: tem.pdbp source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: h:\projects\netfilter3\bin\Release\Win32\nfregdrv.pdb source: nfregdrv.exe, 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmp, nfregdrv.exe, 0000001A.00000000.2543194274.0000000000408000.00000002.00000001.01000000.00000009.sdmp, nfregdrv.exe, 0000001B.00000000.2548063602.0000000000408000.00000002.00000001.01000000.00000009.sdmp, nfregdrv.exe, 0000001B.00000002.2548485149.0000000000408000.00000002.00000001.01000000.00000009.sdmp
        Source: Binary string: ntdll.pdbUGP source: ComDebug.exe, 00000030.00000002.4003301111.000001869C890000.00000004.00000800.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002937059.000001869C49E000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4003848423.000001869CA91000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: C:\Windows\System.Configuration.Install.pdbpdball.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: agar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.WindowsService\obj\Release\FastestVPN.WindowsService.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000C0D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.Common\obj\Debug\VPN.Common.pdbH source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000001E.00000002.3012856544.0000000004F32000.00000002.00000001.01000000.0000000F.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.WireGuard\obj\Debug\VPN.WireGuard.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4014641170.0000000003CA2000.00000002.00000001.01000000.00000050.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.Data.Local\obj\Release\FastestVPN.Data.Local.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027480345.0000000005FE2000.00000002.00000001.01000000.0000001D.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection.Abstractions/Release/net462/Microsoft.Extensions.DependencyInjection.Abstractions.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4025039964.0000000005A62000.00000002.00000001.01000000.00000015.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.WindowsService\obj\Release\FastestVPN.WindowsService.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3011958094.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000001E.00000000.2551119623.0000000000682000.00000002.00000001.01000000.0000000B.sdmp, is-9A2GQ.tmp.1.dr
        Source: Binary string: E:\A\_work\89\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard\System.Memory.pdbSHA256HXhZm source: FastestVPN.exe, 00000021.00000002.4047875216.000000000C2F2000.00000002.00000001.01000000.00000030.sdmp
        Source: Binary string: Microsoft.Owin.pdbSHA256 source: FastestVPN.WindowsService.exe, 0000002F.00000002.4011595996.0000000003A92000.00000002.00000001.01000000.00000035.sdmp
        Source: Binary string: mscorlib.pdb source: FastestVPN.exe, 00000021.00000002.4034278894.0000000008D06000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4006176311.0000000001527000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: $cq^/_/artifacts/obj/Microsoft.AspNet.SignalR.Core/Release/net45/Microsoft.AspNet.SignalR.Core.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.RAS\obj\Debug\VPN.RAS.pdb source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4014432584.0000000003C92000.00000002.00000001.01000000.0000004D.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.AspNet.SignalR.Core.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.00000000008A8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection.Abstractions/Release/net462/Microsoft.Extensions.DependencyInjection.Abstractions.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4025039964.0000000005A62000.00000002.00000001.01000000.00000015.sdmp
        Source: Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net40\WpfAnimatedGif.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4032157107.0000000006522000.00000002.00000001.01000000.00000020.sdmp
        Source: Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Microsoft.AppCenter.WindowsDesktop\Release\net472\Microsoft.AppCenter.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4033102283.00000000067C2000.00000002.00000001.01000000.0000002A.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.ServiceProcess.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.ViewModel\obj\Release\FastestVPN.ViewModel.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027000296.0000000005F82000.00000002.00000001.01000000.00000019.sdmp
        Source: Binary string: Microsoft.Owin.Host.HttpListener.pdbSHA256-( source: FastestVPN.WindowsService.exe, 0000002F.00000002.4012036671.0000000003AC2000.00000002.00000001.01000000.00000038.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\repos\main\SSH2\Release\pdbs\BvUpdateLauncher.pdb source: ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\symbols\exe\FastestVPN.WindowsService.pdbvqZ source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Microsoft.Owin.Security.pdbSHA256U source: FastestVPN.WindowsService.exe, 0000002F.00000002.4013038438.0000000003B82000.00000002.00000001.01000000.0000004A.sdmp
        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\FastestVPN.WindowsService.pdbLl H source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.Data.Remote\obj\Release\FastestVPN.Data.Remote.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027602256.0000000005FF2000.00000002.00000001.01000000.0000001E.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.BLL\obj\Release\FastestVPN.BLL.pdbVepe be_CorDllMainmscoree.dll source: FastestVPN.exe, 00000021.00000002.4027318098.0000000005FD2000.00000002.00000001.01000000.0000001C.sdmp
        Source: Binary string: symbols\exe\FastestVPN.WindowsService.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.OpenVpn\obj\Debug\VPN.OpenVpn.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4014061839.0000000003C52000.00000002.00000001.01000000.0000004C.sdmp
        Source: Binary string: C:\Windows\System.ServiceProcess.pdbpdbess.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4025702426.0000000005BC2000.00000002.00000001.01000000.00000017.sdmp
        Source: Binary string: msvcr100.i386.pdb source: is-1EFGP.tmp.1.dr
        Source: Binary string: Microsoft.Owin.Diagnostics.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4013460664.0000000003C12000.00000002.00000001.01000000.00000048.sdmp
        Source: Binary string: System.ServiceProcess.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3011958094.0000000002A96000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbU source: FastestVPN.exe, 00000021.00000002.4043006984.000000000B738000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection/Release/net462/Microsoft.Extensions.DependencyInjection.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4025844437.0000000005BD2000.00000002.00000001.01000000.00000016.sdmp
        Source: Binary string: System.Configuration.Install.pdbxF source: FastestVPN.WindowsService.exe, 0000001E.00000002.3011958094.0000000002A96000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.WireGuard\obj\Debug\VPN.WireGuard.pdb2;L; >;_CorDllMainmscoree.dll source: FastestVPN.WindowsService.exe, 0000002F.00000002.4014641170.0000000003CA2000.00000002.00000001.01000000.00000050.sdmp
        Source: Binary string: \??\C:\Windows\System.Configuration.Install.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: E:\nt\dnsrv\sdktools\reskit\content\subinacl\source\obj\i386\subinacl.pdbPa source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, subinacl.exe, 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, subinacl.exe, 0000002B.00000000.3029456952.0000000001001000.00000020.00000001.01000000.00000032.sdmp
        Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\spNet.SignalR.Core.pdb561934e089\System.dll source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\projects\projectsJ\nfsdk2_1.6\driver_wfp\Win8\Win8Release\x64\netfilter2.pdb source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, fastestvpndriver.sys.25.dr
        Source: Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Microsoft.AppCenter.Analytics.WindowsDesktop\Release\net472\Microsoft.AppCenter.Analytics.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4032653581.00000000065A2000.00000002.00000001.01000000.0000002B.sdmp, is-Q3SSJ.tmp.1.dr
        Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4026147118.0000000005BF2000.00000002.00000001.01000000.00000018.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.Diagnostics\obj\Release\FastestVPN.Diagnostics.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4026760772.0000000005F52000.00000002.00000001.01000000.0000001B.sdmp
        Source: Binary string: c:\projects\projectsJ\nfsdk2_1.6\bin\release\win32\nfapi.pdb source: nfregdrv.exe, 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmp, nfregdrv.exe, 0000001B.00000002.2548897423.0000000010019000.00000002.00000001.01000000.0000000A.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4025702426.0000000005BC2000.00000002.00000001.01000000.00000017.sdmp
        Source: Binary string: c:\Users\lodejard\Projects\owin-hosting\src\main\Owin.Startup\obj\Release\Owin.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4010427946.0000000003A22000.00000002.00000001.01000000.00000036.sdmp
        Source: Binary string: Microsoft.Owin.Hosting.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4010652534.0000000003A42000.00000002.00000001.01000000.00000034.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.DependencyInjection\obj\Release\FastestVPN.DI.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4024820735.0000000005A52000.00000002.00000001.01000000.00000014.sdmp
        Source: Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Microsoft.AppCenter.Crashes.WindowsDesktop\Release\net472\Microsoft.AppCenter.Crashes.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4032743479.00000000065B2000.00000002.00000001.01000000.0000002C.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection/Release/net462/Microsoft.Extensions.DependencyInjection.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4025844437.0000000005BD2000.00000002.00000001.01000000.00000016.sdmp
        Source: Binary string: c:\Users\Junaid AK\Desktop\New folder (2)\SingleInstanceApplication\SingleInstanceApplication\obj\Release\SingleInstanceApplication.pdb@:^: P:_CorDllMainmscoree.dll source: FastestVPN.exe, 00000034.00000002.3106868206.0000000004E62000.00000002.00000001.01000000.00000012.sdmp
        Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4014983868.0000000003D02000.00000002.00000001.01000000.0000004E.sdmp
        Source: Binary string: E:\A\_work\89\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard\System.Memory.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4047875216.000000000C2F2000.00000002.00000001.01000000.00000030.sdmp
        Source: Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net40\WpfAnimatedGif.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4032157107.0000000006522000.00000002.00000001.01000000.00000020.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.BLL\obj\Release\FastestVPN.BLL.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027318098.0000000005FD2000.00000002.00000001.01000000.0000001C.sdmp
        Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4006176311.0000000001527000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4046582845.000000000BC82000.00000002.00000001.01000000.0000002D.sdmp
        Source: Binary string: Microsoft.Owin.Security.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4013038438.0000000003B82000.00000002.00000001.01000000.0000004A.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.Common\obj\Release\FastestVPN.Common.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4009855225.0000000003722000.00000002.00000001.01000000.00000033.sdmp
        Source: Binary string: $cq!Microsoft.AspNet.SignalR.Core.pdb`,cq)"<>| source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4014983868.0000000003D02000.00000002.00000001.01000000.0000004E.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.AdvancedNetwork\obj\Debug\VPN.AdvancedNetwork.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4013290724.0000000003BA2000.00000002.00000001.01000000.0000004F.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN\obj\Release\FastestVPN.pdb source: FastestVPN.exe, 00000021.00000000.2556167856.0000000000CCD000.00000002.00000001.01000000.00000010.sdmp
        Source: Binary string: c:\projects\projectsj\nfsdk2_1.6\driver_wfp\std\objfre_win7_x86\i386\netfilter2.pdb source: is-5LPUL.tmp.1.dr
        Source: Binary string: System.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Microsoft.Owin.Host.HttpListener.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4012036671.0000000003AC2000.00000002.00000001.01000000.00000038.sdmp
        Source: Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Microsoft.AppCenter.WindowsDesktop\Release\net472\Microsoft.AppCenter.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4033102283.00000000067C2000.00000002.00000001.01000000.0000002A.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.Data.Remote\obj\Release\FastestVPN.Data.Remote.pdbb^|^ n^_CorDllMainmscoree.dll source: FastestVPN.exe, 00000021.00000002.4027602256.0000000005FF2000.00000002.00000001.01000000.0000001E.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.DependencyInjection\obj\Release\FastestVPN.DI.pdbY6s6 e6_CorDllMainmscoree.dll source: FastestVPN.exe, 00000021.00000002.4024820735.0000000005A52000.00000002.00000001.01000000.00000014.sdmp
        Source: Binary string: \??\C:\Windows\exe\FastestVPN.WindowsService.pdb3 source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: FastestVPN.exe, 00000021.00000002.4043006984.000000000B738000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\users\vagrant\buildbot\windows-server-2019-static-msbuild\openvpn\x64-Output\Release\openvpn.pdb source: is-164FL.tmp.1.dr
        Source: Binary string: C:\Users\samuli\source\repos\tap-windows6\src\x64\Release\tap0901.pdb source: drvinst.exe, 0000000E.00000003.2501420084.000001F40B804000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.2495027565.000001F40B75E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.2501048553.000001F40B803000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ntdll.pdb source: ComDebug.exe, 00000030.00000002.4003301111.000001869C890000.00000004.00000800.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002937059.000001869C49E000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4003848423.000001869CA91000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256Ci\ source: FastestVPN.exe, 00000021.00000002.4006176311.0000000001527000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4047258906.000000000C262000.00000002.00000001.01000000.0000002E.sdmp
        Source: Binary string: Microsoft.Owin.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4011595996.0000000003A92000.00000002.00000001.01000000.00000035.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Configuration.Install.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mC:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.pdby source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: Windows\dll\mscorlib.pdb}Wl source: FastestVPN.exe, 00000021.00000002.4042897141.000000000B729000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: m.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.PDB*H( source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Hardcodet.NotifyIcon.Wpf.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4030148839.00000000062B2000.00000002.00000001.01000000.0000001F.sdmp
        Source: Binary string: \??\C:\Windows\symbols\exe\FastestVPN.WindowsService.pdb00 source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7E0B0 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,10_2_00007FF798C7E0B0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C43630 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,10_2_00007FF798C43630
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7ECAC FindFirstFileExW,FindNextFileW,FindClose,10_2_00007FF798C7ECAC
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7E0B0 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,10_2_00007FF798C7E0B0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7E810 FindFirstFileExW,10_2_00007FF798C7E810
        Source: C:\Program Files\FastestVPN\subinacl.exeCode function: 43_2_0103172D __EH_prolog,#540,#922,#858,#800,#2910,wcslen,#2910,wcslen,#823,GetLastError,_CxxThrowException,#2910,#2910,swprintf,FindFirstFileW,GetLastError,#825,#2910,FindFirstFileW,wcscmp,wcscmp,wcscmp,#535,#942,#942,#535,#942,#942,#800,FindNextFileW,FindClose,#800,43_2_0103172D
        Source: C:\Program Files\FastestVPN\subinacl.exeCode function: 43_2_01031DDF __EH_prolog,#540,#925,#858,#800,#2910,wcslen,wcslen,#2910,wcslen,#823,GetLastError,_CxxThrowException,#2910,#2910,swprintf,FindFirstFileW,GetLastError,#825,#2910,FindFirstFileW,wcscmp,wcscmp,#540,#538,#922,#925,#858,#800,#800,#800,#925,#800,#858,#800,FindNextFileW,FindClose,#800,43_2_01031DDF
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6CE330 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,48_2_00007FF6DB6CE330
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8538F90 FindFirstFileExW,48_2_00007FF8A8538F90
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_100163B0 GetLogicalDriveStringsW,QueryDosDeviceW,GetDriveTypeW,EnterCriticalSection,LeaveCriticalSection,26_2_100163B0
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\Jump to behavior
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Program Files\FastestVPN\Jump to behavior
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Program Files\FastestVPN\Resources\Jump to behavior
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Program Files\FastestVPN\Resources\driver\windows10\Jump to behavior
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64Jump to behavior
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Program Files\FastestVPN\Resources\driver\Jump to behavior

        Networking

        barindex
        NDIS Filter Driver detected (likely used to intercept and sniff network traffic)
        Source: is-59VFL.tmp.1.drStatic PE information: Found NDIS imports: FwpsFlowAssociateContext0, FwpsCalloutUnregisterByKey0, FwpmSubLayerAdd0, FwpsQueryPacketInjectionState0, FwpmSubLayerDeleteByKey0, FwpmSubLayerEnum0, FwpmTransactionCommit0, FwpmSubLayerCreateEnumHandle0, FwpmSubLayerDestroyEnumHandle0, FwpmProviderContextDeleteByKey0, FwpmCalloutAdd0, FwpmProviderAdd0, FwpmTransactionAbort0, FwpmEngineOpen0, FwpsAcquireClassifyHandle0, FwpmFilterAdd0, FwpsPendClassify0, FwpsCalloutRegister1, FwpmTransactionBegin0, FwpmEngineClose0, FwpmFreeMemory0, FwpsAcquireWritableLayerDataPointer0, FwpsApplyModifiedLayerData0, FwpsInjectNetworkReceiveAsync0, FwpsFreeCloneNetBufferList0, FwpsInjectionHandleDestroy0, FwpsConstructIpHeaderForTransportPacket0, FwpsAllocateNetBufferAndNetBufferList0, FwpsInjectionHandleCreate0, FwpsInjectTransportReceiveAsync0, FwpsInjectNetworkSendAsync0, FwpsCopyStreamDataToBuffer0, FwpsInjectTransportSendAsync0, FwpsFlowRemoveContext0, FwpsCloneStreamData0, FwpsCompleteClassify0, FwpsStreamInjectAsync0, FwpsReleaseClassifyHandle0, FwpsDiscardClonedStreamData0, FwpmBfeStateGet0, FwpmBfeStateSubscribeChanges0, FwpmBfeStateUnsubscribeChanges0, FwpsFreeNetBufferList0
        Source: is-5LPUL.tmp.1.drStatic PE information: Found NDIS imports: FwpsFreeNetBufferList0, FwpmEngineOpen0, FwpmProviderAdd0, FwpmSubLayerDeleteByKey0, FwpmProviderContextDeleteByKey0, FwpsAcquireClassifyHandle0, FwpsQueryPacketInjectionState0, FwpsFlowAssociateContext0, FwpmSubLayerAdd0, FwpmSubLayerCreateEnumHandle0, FwpmFreeMemory0, FwpmSubLayerEnum0, FwpmSubLayerDestroyEnumHandle0, FwpmCalloutAdd0, FwpmFilterAdd0, FwpmTransactionBegin0, FwpmEngineClose0, FwpmTransactionCommit0, FwpmTransactionAbort0, FwpsCalloutRegister1, FwpsCalloutUnregisterByKey0, FwpsPendClassify0, FwpsInjectionHandleCreate0, FwpsCopyStreamDataToBuffer0, FwpsInjectNetworkReceiveAsync0, FwpsAcquireWritableLayerDataPointer0, FwpsApplyModifiedLayerData0, FwpsAllocateNetBufferAndNetBufferList0, FwpsInjectTransportSendAsync0, FwpsConstructIpHeaderForTransportPacket0, FwpsInjectNetworkSendAsync0, FwpsInjectTransportReceiveAsync0, FwpsFreeCloneNetBufferList0, FwpsInjectionHandleDestroy0, FwpsFlowRemoveContext0, FwpsCloneStreamData0, FwpsCompleteClassify0, FwpsReleaseClassifyHandle0, FwpsDiscardClonedStreamData0, FwpsStreamInjectAsync0, FwpmBfeStateGet0, FwpmBfeStateSubscribeChanges0, FwpmBfeStateUnsubscribeChanges0
        Source: is-A14JT.tmp.1.drStatic PE information: Found NDIS imports: FwpmFreeMemory0, FwpmEngineOpen0, FwpmEngineClose0, FwpmTransactionBegin0, FwpmTransactionCommit0, FwpmTransactionAbort0, FwpmProviderAdd0, FwpmProviderContextDeleteByKey0, FwpmSubLayerAdd0, FwpmSubLayerDeleteByKey0, FwpmSubLayerCreateEnumHandle0, FwpmSubLayerEnum0, FwpmSubLayerDestroyEnumHandle0, FwpmCalloutAdd0, FwpmFilterAdd0, FwpsFlowAbort0, FwpsInjectionHandleCreate0, FwpsInjectionHandleDestroy0, FwpsRedirectHandleCreate0, FwpsFreeNetBufferList0, FwpsFreeCloneNetBufferList0, FwpsInjectNetworkSendAsync0, FwpsConstructIpHeaderForTransportPacket0, FwpsInjectTransportSendAsync0, FwpsInjectTransportReceiveAsync0, FwpsInjectNetworkReceiveAsync0, FwpsStreamInjectAsync0, FwpsCopyStreamDataToBuffer0, FwpmBfeStateGet0, FwpmBfeStateSubscribeChanges0, FwpmBfeStateUnsubscribeChanges0, FwpsFlowRemoveContext0, FwpsCompleteClassify0, FwpsRedirectHandleDestroy0, FwpsCloneStreamData0, FwpsDiscardClonedStreamData0, FwpsQueryPacketInjectionState0, FwpsApplyModifiedLayerData0, FwpsAcquireWritableLayerDataPointer0, FwpsReleaseClassifyHandle0, FwpsAcquireClassifyHandle0, FwpsFlowAssociateContext0, FwpsCalloutUnregisterByKey0, FwpsPendClassify0, FwpsCalloutRegister1, FwpsAllocateNetBufferAndNetBufferList0
        Source: is-0T1HF.tmp.1.drStatic PE information: Found NDIS imports: FwpmFreeMemory0, FwpmEngineOpen0, FwpmEngineClose0, FwpmTransactionBegin0, FwpmTransactionCommit0, FwpmTransactionAbort0, FwpmProviderAdd0, FwpmProviderContextDeleteByKey0, FwpmSubLayerAdd0, FwpmSubLayerDeleteByKey0, FwpmSubLayerCreateEnumHandle0, FwpmSubLayerEnum0, FwpmSubLayerDestroyEnumHandle0, FwpmCalloutAdd0, FwpmFilterAdd0, FwpsFlowAbort0, FwpsInjectionHandleCreate0, FwpsInjectionHandleDestroy0, FwpsRedirectHandleCreate0, FwpsFreeNetBufferList0, FwpsFreeCloneNetBufferList0, FwpsInjectNetworkSendAsync0, FwpsConstructIpHeaderForTransportPacket0, FwpsInjectTransportSendAsync0, FwpsInjectTransportReceiveAsync0, FwpsInjectNetworkReceiveAsync0, FwpsStreamInjectAsync0, FwpsCopyStreamDataToBuffer0, FwpmBfeStateGet0, FwpmBfeStateSubscribeChanges0, FwpmBfeStateUnsubscribeChanges0, FwpsFlowRemoveContext0, FwpsCompleteClassify0, FwpsRedirectHandleDestroy0, FwpsCloneStreamData0, FwpsDiscardClonedStreamData0, FwpsQueryPacketInjectionState0, FwpsApplyModifiedLayerData0, FwpsAcquireWritableLayerDataPointer0, FwpsReleaseClassifyHandle0, FwpsAcquireClassifyHandle0, FwpsFlowAssociateContext0, FwpsCalloutUnregisterByKey0, FwpsPendClassify0, FwpsCalloutRegister1, FwpsAllocateNetBufferAndNetBufferList0
        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
        Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
        Source: svchost.exe, 00000023.00000003.2673565640.0000023FDB16D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS
        Source: svchost.exe, 00000023.00000002.4004637528.0000023FDB837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS&lt;/ds:KeyName&gt;&lt;/ds:KeyInfo&gt;
        Source: svchost.exe, 00000023.00000003.2690706263.0000023FDB174000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/SOAPFaultcurity-utility-1.0.xsd
        Source: svchost.exe, 00000023.00000003.2673565640.0000023FDB16D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004907867.0000023FDB874000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004266510.0000023FDB137000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb
        Source: svchost.exe, 00000023.00000002.4003148704.0000023FDAA97000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004637528.0000023FDB837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb:pp
        Source: svchost.exe, 00000023.00000002.4003437790.0000023FDAAC2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://Passport.NET/tb_
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://acedicom.edicomgroup.com/doc0
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4037191355.0000000008DC7000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3024841016.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-9A2GQ.tmp.1.dr, is-164FL.tmp.1.dr, is-3DN0E.tmp.1.dr, is-RE19F.tmp.1.drString found in binary or memory: http://aia.entrust.net/ts2-chain256.p7c01
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/1085
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/1423136
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/1423136dumpTranslatedShadersWrite
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/1452
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/1452expandIntegerPowExpressionsThe
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/1512
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/1637
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/1936
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/2046
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/2152
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/2152skipVSConstantRegisterZeroIn
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/2162
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/2273
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/2517
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/2894
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/2970
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/2978
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3027
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3045
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3078
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3205
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3206
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3246
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3246allowClearForRobustResourceInitSome
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3452
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3498
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3502
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3577
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3584
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3586
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3623
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3624
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3625
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3682
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3682allowES3OnFL100Allow
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3729
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3832
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3862
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3965
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3970
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/3997
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4214
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4267
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4324
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4384
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4405
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4428
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4551
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4633
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4646
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4722
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/482
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4836
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4901
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/4937
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5007
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5007disableDrawBuffersIndexedDisable
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5055
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5061
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5281
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5371
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5375
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5421
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5430
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5469
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5535
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5577
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5658
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5658forceGlErrorCheckingForce
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5750
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5750forceRobustResourceInitForce-enable
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5881
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5901
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/5906
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6041
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6041forceInitShaderVariablesForce-enable
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6048
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6141
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6248
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6439
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6651
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6692
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6755
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6860
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6876
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6878
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6929
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/6953
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7036
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7036dumpShaderSourceWrite
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7047
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7172
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7279
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7279cacheCompiledShaderEnable
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7370
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7406
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7488
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7527
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7553
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7556
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7724
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7724disableAnisotropicFilteringDisable
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7760
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7760enableShaderSubstitutionCheck
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7761
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/7761disableProgramCachingDisables
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/8162
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/8172
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/8215
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/8229
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/8280
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://anglebug.com/8280enableTranslatedShaderSubstitutionCheck
        Source: ComDebug.exe, 00000030.00000002.4002071785.000001869C150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://c0rl.m%L
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4034278894.0000000008D2D000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4034278894.0000000008C7F000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, is-9A2GQ.tmp.1.dr, is-3DN0E.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
        Source: FastestVPN.exe, 00000021.00000002.4039844123.000000000B51C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000001E.00000002.3011958094.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, is-9A2GQ.tmp.1.dr, is-3DN0E.tmp.1.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/1094869
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/110263
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/1144207
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/1171371
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/1181068
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/1181193
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/1420130
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/1434317
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/1456243
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/308366
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/403957
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/550292
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/565179
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/642227
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/642605
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/644669
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/650547
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/672380
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/709351
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/797243
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/809422
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/830046
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/849576
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/883276
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/927470
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/941620
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://crbug.com/941620allowTranslateUniformBlockToStructuredBufferThere
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3024841016.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-9A2GQ.tmp.1.dr, is-164FL.tmp.1.dr, is-3DN0E.tmp.1.dr, is-RE19F.tmp.1.drString found in binary or memory: http://crl.entrust.net/csbr1.crl0
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3024841016.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-9A2GQ.tmp.1.dr, is-164FL.tmp.1.dr, is-3DN0E.tmp.1.dr, is-RE19F.tmp.1.drString found in binary or memory: http://crl.entrust.net/g2ca.crl0
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4037191355.0000000008DC7000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3024841016.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-9A2GQ.tmp.1.dr, is-164FL.tmp.1.dr, is-3DN0E.tmp.1.dr, is-RE19F.tmp.1.drString found in binary or memory: http://crl.entrust.net/ts2ca.crl0
        Source: ComDebug.exe, 00000030.00000003.3054344058.000001869CA96000.00000004.00000001.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059189309.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058677131.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059676809.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059740054.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058777370.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059246630.000001869C311000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-164FL.tmp.1.dr, is-RE19F.tmp.1.dr, file_selector_windows_plugin.dll.48.dr, is-J64KK.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
        Source: ComDebug.exe, 00000030.00000003.3054344058.000001869CA96000.00000004.00000001.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059189309.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058677131.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059676809.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059740054.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058777370.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059246630.000001869C311000.00000004.00000020.00020000.00000000.sdmp, file_selector_windows_plugin.dll.48.dr, is-J64KK.tmp.1.drString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
        Source: svchost.exe, 00000023.00000003.2587704055.0000023FDAAE6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003612909.0000023FDAADD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.ver)
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl1.comsign.co.il/crl/comsignglobalrootca.crl0
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
        Source: FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSig
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4034278894.0000000008D2D000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4034278894.0000000008C7F000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, is-9A2GQ.tmp.1.dr, is-3DN0E.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, is-9A2GQ.tmp.1.dr, is-3DN0E.tmp.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4034278894.0000000008D2D000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4034278894.0000000008C7F000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, is-9A2GQ.tmp.1.dr, is-3DN0E.tmp.1.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
        Source: FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlw
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
        Source: ComDebug.exe, 00000030.00000003.3054344058.000001869CA96000.00000004.00000001.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059189309.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058677131.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059676809.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059740054.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058777370.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059246630.000001869C311000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-164FL.tmp.1.dr, is-RE19F.tmp.1.dr, file_selector_windows_plugin.dll.48.dr, is-J64KK.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
        Source: ComDebug.exe, 00000030.00000003.3054344058.000001869CA96000.00000004.00000001.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059189309.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058677131.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059676809.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059740054.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058777370.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059246630.000001869C311000.00000004.00000020.00020000.00000000.sdmp, file_selector_windows_plugin.dll.48.dr, is-J64KK.tmp.1.drString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
        Source: FastestVPN.exe, 00000021.00000002.4039844123.000000000B561000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
        Source: FastestVPN.exe, 00000021.00000002.4039844123.000000000B51C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
        Source: FastestVPN.exe, 00000021.00000002.4009861219.0000000003314000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/FastestVPN;component/Assets/Fonts/outfit-variablefont_wght.ttf
        Source: FastestVPN.exe, 00000021.00000002.4009861219.0000000003314000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://defaultcontainer/FastestVPN;component/Assets/Fonts/outfit-variablefont_wght.ttfd
        Source: svchost.exe, 00000023.00000002.4004331371.0000023FDB179000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2
        Source: svchost.exe, 00000023.00000003.2690706263.0000023FDB174000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-
        Source: svchost.exe, 00000023.00000003.2618421493.0000023FDB107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2637808568.0000023FDB108000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
        Source: svchost.exe, 00000023.00000003.2673565640.0000023FDB16D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2673599266.0000023FDB176000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd?
        Source: svchost.exe, 00000023.00000003.2637478660.0000023FDB129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
        Source: svchost.exe, 00000023.00000003.2673565640.0000023FDB16D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2673599266.0000023FDB176000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdes
        Source: svchost.exe, 00000023.00000002.4004044511.0000023FDB100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2618421493.0000023FDB107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2637808568.0000023FDB108000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
        Source: svchost.exe, 00000023.00000002.4004331371.0000023FDB179000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2690706263.0000023FDB179000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0a
        Source: svchost.exe, 00000023.00000003.2637478660.0000023FDB129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
        Source: svchost.exe, 00000023.00000003.2637478660.0000023FDB129000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
        Source: svchost.exe, 00000023.00000003.2592881416.0000023FDB152000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:
        Source: svchost.exe, 00000023.00000003.2690706263.0000023FDB179000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
        Source: svchost.exe, 00000026.00000003.2583646117.000001E759230000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr/492350f6-3a01-4f97-b9c0-c7c6ddf67d60/Office/Data/v32_16.0.16827.20
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/comsignglobalrootca.crl0;
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027602256.0000000005FF2000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: http://ip-api.com/json
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://issuetracker.google.com/200067929
        Source: FastestVPN.WindowsService.exe, 0000002F.00000002.4014983868.0000000003D02000.00000002.00000001.01000000.0000004E.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://labs.creativecommons.org/licenses/zero-waive/1.0/us/legalcodeRegularVersion
        Source: powershell.exe, 00000024.00000002.2694615872.0000000005A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: ComDebug.exe, 00000030.00000002.4002071785.000001869C150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.co
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4034278894.0000000008D2D000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4034278894.0000000008C7F000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, is-9A2GQ.tmp.1.dr, is-3DN0E.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000001E.00000002.3011958094.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, fastestvpndriver.sys.25.dr, is-9A2GQ.tmp.1.dr, is-3DN0E.tmp.1.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0A
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0C
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0H
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0I
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://ocsp.digicert.com0O
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
        Source: FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3024841016.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-9A2GQ.tmp.1.dr, is-164FL.tmp.1.dr, is-3DN0E.tmp.1.dr, is-RE19F.tmp.1.drString found in binary or memory: http://ocsp.entrust.net00
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3024841016.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-9A2GQ.tmp.1.dr, is-164FL.tmp.1.dr, is-3DN0E.tmp.1.dr, is-RE19F.tmp.1.drString found in binary or memory: http://ocsp.entrust.net01
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4037191355.0000000008DC7000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3024841016.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-9A2GQ.tmp.1.dr, is-164FL.tmp.1.dr, is-3DN0E.tmp.1.dr, is-RE19F.tmp.1.drString found in binary or memory: http://ocsp.entrust.net03
        Source: FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust_
        Source: ComDebug.exe, 00000030.00000003.3054344058.000001869CA96000.00000004.00000001.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059189309.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058677131.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059676809.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059740054.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058777370.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059246630.000001869C311000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-164FL.tmp.1.dr, is-RE19F.tmp.1.dr, file_selector_windows_plugin.dll.48.dr, is-J64KK.tmp.1.drString found in binary or memory: http://ocsp.sectigo.com0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.suscerte.gob.ve0
        Source: svchost.exe, 00000023.00000002.4004907867.0000023FDB874000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004637528.0000023FDB837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://passport.net/tb
        Source: powershell.exe, 00000024.00000002.2688557977.0000000004B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
        Source: FastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
        Source: FastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
        Source: FastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
        Source: FastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcessd
        Source: FastestVPN.exe, 00000021.00000002.4009861219.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
        Source: svchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
        Source: svchost.exe, 00000023.00000002.4004266510.0000023FDB137000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
        Source: svchost.exe, 00000023.00000003.2673467981.0000023FDB184000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2673565640.0000023FDB16D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004266510.0000023FDB137000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
        Source: svchost.exe, 00000023.00000003.2673467981.0000023FDB184000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004487236.0000023FDB184000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
        Source: svchost.exe, 00000023.00000002.4004266510.0000023FDB137000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scen
        Source: svchost.exe, 00000023.00000003.2673467981.0000023FDB184000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
        Source: svchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
        Source: svchost.exe, 00000023.00000003.2673565640.0000023FDB16D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuee
        Source: svchost.exe, 00000023.00000003.2673565640.0000023FDB16D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issuessue
        Source: svchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
        Source: svchost.exe, 00000023.00000003.2673565640.0000023FDB16D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
        Source: svchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
        Source: svchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustbc
        Source: svchost.exe, 00000023.00000002.4004266510.0000023FDB137000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustnce
        Source: FastestVPN.exe, 00000021.00000002.4009861219.0000000003011000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000024.00000002.2688557977.0000000004A21000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000F76000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: FastestVPN.exe, 00000021.00000002.4009861219.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/wsdl/
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
        Source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000001E.00000002.3013228401.0000000005312000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: http://signalr.net/
        Source: FastestVPN.exe, 00000021.00000000.2556167856.0000000000CCD000.00000002.00000001.01000000.00000010.sdmp, FastestVPN.exe, 00000021.00000002.4032157107.0000000006522000.00000002.00000001.01000000.00000020.sdmp, FastestVPN.exe, 00000021.00000002.4009861219.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://wpfanimatedgif.codeplex.com
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
        Source: powershell.exe, 00000024.00000002.2688557977.0000000004B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/pc-root2.pdf0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certeurope.fr/reference/root2.crl0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.correo.com.uy/correocert/cps.pdf0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4034278894.0000000008D2D000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4034278894.0000000008C7F000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, is-9A2GQ.tmp.1.dr, is-3DN0E.tmp.1.drString found in binary or memory: http://www.digicert.com/CPS0
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.dnie.es/dpc0
        Source: FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.entrust.net
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3024841016.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-9A2GQ.tmp.1.dr, is-164FL.tmp.1.dr, is-3DN0E.tmp.1.dr, is-RE19F.tmp.1.drString found in binary or memory: http://www.entrust.net/rpa0
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3024841016.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-9A2GQ.tmp.1.dr, is-164FL.tmp.1.dr, is-3DN0E.tmp.1.dr, is-RE19F.tmp.1.drString found in binary or memory: http://www.entrust.net/rpa03
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.firmaprofesional.com/cps0
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4030148839.00000000062B2000.00000002.00000001.01000000.0000001F.sdmp, FastestVPN.exe, 00000021.00000002.4030302639.00000000062CA000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: http://www.hardcodet.net/projects/wpf-notifyicon
        Source: FastestVPN.exe, 00000021.00000002.4030148839.00000000062B2000.00000002.00000001.01000000.0000001F.sdmp, FastestVPN.exe, 00000021.00000002.4009861219.0000000003011000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.hardcodet.net/taskbar
        Source: ComDebug.exe, 00000030.00000002.4002487073.000001869C357000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.info-zip.org/
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/dpc0
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suscerte.gob.ve/lcr0#
        Source: svchost.exe, 00000023.00000002.4003744491.0000023FDAB02000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: http://www.w3c.orghttp://dev.w3.org/CSS/fonts/ahem/COPYING
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
        Source: svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601ssuer
        Source: svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
        Source: svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
        Source: svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576119449.0000023FDB157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/msangcwam
        Source: powershell.exe, 00000024.00000002.2688557977.0000000004A21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://aka.ms/pscore6lBcq
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/4674
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/4830
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/4849
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/4966
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/5140
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/5536
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/5845
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/6574
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7161
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7162
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7246
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7246enableCaptureLimitsSet
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7308
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7319
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7320
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7369
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7382
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7405
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7489
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7604
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7714
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7847
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://anglebug.com/7899
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027000296.0000000005F82000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://api.fastestvpn.com//v2/chat
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027602256.0000000005FF2000.00000002.00000001.01000000.0000001E.sdmpString found in binary or memory: https://api.fastestvpn.com/v2
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://chromium.googlesource.com/angle/angle/
        Source: powershell.exe, 00000024.00000002.2694615872.0000000005A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000024.00000002.2694615872.0000000005A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000024.00000002.2694615872.0000000005A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/1042393
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/1046462
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/1060012
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/1091824
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/1137851
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/1300575
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/1356053
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/593024
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/593024selectViewInGeometryShaderThe
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/650547
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/650547callClearTwiceUsing
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/655534
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/655534useSystemMemoryForConstantBuffersCopying
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/705865
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/710443
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/811661
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://crbug.com/848952
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://dartbug.com/52121.
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://dartbug.com/52121.Dart_WaitForEventwaitForEventSync
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://dartbug.com/52121.enable_deprecated_wait_fordart::../../third_party/dart/runtime/vm/dart_api
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027000296.0000000005F82000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://fastestvpn.com/
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027000296.0000000005F82000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://fastestvpn.com/about
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027000296.0000000005F82000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://fastestvpn.com/buy-vpn
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027000296.0000000005F82000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://fastestvpn.com/buy-vpn?device=windows
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027000296.0000000005F82000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://fastestvpn.com/faq?device=windows
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027000296.0000000005F82000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://fastestvpn.com/password/reset
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027000296.0000000005F82000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://fastestvpn.com/privacy-policy
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027000296.0000000005F82000.00000002.00000001.01000000.00000019.sdmpString found in binary or memory: https://fastestvpn.com/terms-of-service?device=windows
        Source: FastestVPN.exeString found in binary or memory: https://fastestvpn.com/upgrade?t=ndelyNN7yduAc
        Source: FastestVPN.exe, 00000021.00000002.4027318098.0000000005FD2000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://fastestvpn.com/upgrade?t=ndelyNN7yduAc5Enjoy
        Source: svchost.exe, 00000026.00000003.2583646117.000001E7592A3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/Prod/C:
        Source: svchost.exe, 00000026.00000003.2583646117.000001E759230000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://g.live.com/odclientsettings/ProdV2.C:
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4014983868.0000000003D02000.00000002.00000001.01000000.0000004E.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
        Source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Jsond
        Source: FastestVPN.exe, 00000021.00000000.2556167856.0000000000B02000.00000002.00000001.01000000.00000010.sdmp, FastestVPN.exe, 00000021.00000002.4038415268.0000000009192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Outfitio/Outfit-Fonts)
        Source: powershell.exe, 00000024.00000002.2688557977.0000000004B71000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/Pester/Pester
        Source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000001E.00000002.3013228401.0000000005312000.00000002.00000001.01000000.0000000E.sdmpString found in binary or memory: https://github.com/SignalR/SignalR/tree/7f53f266daf1aad3dabb1b6d7a71d4c1501ec8dc
        Source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/SignalR/SignalR/tree/7f53f266daf1aad3dabb1b6d7a71d4c1501ec8dcd
        Source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4012036671.0000000003AC2000.00000002.00000001.01000000.00000038.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4013460664.0000000003C12000.00000002.00000001.01000000.00000048.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4013038438.0000000003B82000.00000002.00000001.01000000.0000004A.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4011595996.0000000003A92000.00000002.00000001.01000000.00000035.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4010652534.0000000003A42000.00000002.00000001.01000000.00000034.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4012410200.0000000003B52000.00000002.00000001.01000000.00000047.sdmpString found in binary or memory: https://github.com/aspnet/AspNetKatana
        Source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/aspnet/AspNetKatanad
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://github.com/dart-lang/sdk/blob/master/runtime/docs/compiler/aot/entry_point_pragma.md
        Source: FastestVPN.exeString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ff
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4026147118.0000000005BF2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
        Source: FastestVPN.exe, 00000021.00000002.4047185552.000000000C242000.00000002.00000001.01000000.00000031.sdmp, FastestVPN.exe, 00000021.00000002.4026147118.0000000005BF2000.00000002.00000001.01000000.00000018.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
        Source: FastestVPN.exeString found in binary or memory: https://github.com/dotnet/corefx/tree/c6cf790234e
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4047875216.000000000C2F2000.00000002.00000001.01000000.00000030.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/c6cf790234e063b855fcdb50f3fb1b3cfac73275
        Source: FastestVPN.exe, 00000021.00000002.4047875216.000000000C2F2000.00000002.00000001.01000000.00000030.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/c6cf790234e063b855fcdb50f3fb1b3cfac732758
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4025844437.0000000005BD2000.00000002.00000001.01000000.00000016.sdmp, FastestVPN.exe, 00000021.00000002.4025702426.0000000005BC2000.00000002.00000001.01000000.00000017.sdmp, FastestVPN.exe, 00000021.00000002.4025039964.0000000005A62000.00000002.00000001.01000000.00000015.sdmpString found in binary or memory: https://github.com/dotnet/runtime
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4046582845.000000000BC82000.00000002.00000001.01000000.0000002D.sdmp, FastestVPN.exe, 00000021.00000002.4047412647.000000000C282000.00000002.00000001.01000000.0000002F.sdmp, FastestVPN.exe, 00000021.00000002.4047258906.000000000C262000.00000002.00000001.01000000.0000002E.sdmp, is-3DN0E.tmp.1.drString found in binary or memory: https://github.com/ericsink/SQLitePCL.raw
        Source: FastestVPN.exe, 00000021.00000002.4047412647.000000000C282000.00000002.00000001.01000000.0000002F.sdmp, is-3DN0E.tmp.1.drString found in binary or memory: https://github.com/ericsink/SQLitePCL.rawH
        Source: FastestVPN.exe, 00000021.00000002.4047258906.000000000C262000.00000002.00000001.01000000.0000002E.sdmpString found in binary or memory: https://github.com/ericsink/SQLitePCL.rawX
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://github.com/flutter/flutter/issues.
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://github.com/flutter/flutter/issues.Invalid
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4030148839.00000000062B2000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://github.com/hardcodet/wpf-notifyicon
        Source: FastestVPN.exe, 00000021.00000002.4030148839.00000000062B2000.00000002.00000001.01000000.0000001F.sdmpString found in binary or memory: https://github.com/hardcodet/wpf-notifyicon.
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4033102283.00000000067C2000.00000002.00000001.01000000.0000002A.sdmpString found in binary or memory: https://in.appcenter.ms
        Source: FastestVPN.exe, 00000021.00000002.4033102283.00000000067C2000.00000002.00000001.01000000.0000002A.sdmpString found in binary or memory: https://in.appcenter.ms./logs?api-version=1.0.0
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/161903006
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/166809097
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/184850002
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/187425444
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/220069903
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/220069903emulatePixelLocalStorageEmulate
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/229267970
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/250706693
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/253522366
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/255411748
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/258207403
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/274859104
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/284462263
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpString found in binary or memory: https://issuetracker.google.com/issues/166475273
        Source: PVUfopbGfc.exe, 00000000.00000000.2126055676.0000000000401000.00000020.00000001.01000000.00000003.sdmpString found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
        Source: svchost.exe, 00000023.00000002.4002959664.0000023FDAA52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.icrosoftonl
        Source: svchost.exe, 00000023.00000002.4004532266.0000023FDB800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com
        Source: svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srf?
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ApproveSession.srfrf
        Source: svchost.exe, 00000023.00000002.4003744491.0000023FDAB02000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=8
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80600
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&amp;id=80601
        Source: svchost.exe, 00000023.00000003.2576358259.0000023FDB16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
        Source: svchost.exe, 00000023.00000003.2576358259.0000023FDB16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
        Source: svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600er
        Source: svchost.exe, 00000023.00000003.2576358259.0000023FDB16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
        Source: svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601er
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ListSessions.srf
        Source: svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srf?
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageApprover.srfr.srf
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ManageLoginKeys.srf
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4005121009.0000023FDB89E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srf
        Source: svchost.exe, 00000023.00000002.4005273621.0000023FDB8A8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfA7826
        Source: svchost.exe, 00000023.00000002.4004532266.0000023FDB800000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/RST2.srfd
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/didtou.srf
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004266510.0000023FDB137000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getrealminfo.srf
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/getuserrealm.srf
        Source: svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsec
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2575547972.0000023FDB110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576358259.0000023FDB16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
        Source: svchost.exe, 00000023.00000003.2576358259.0000023FDB16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
        Source: svchost.exe, 00000023.00000003.2576358259.0000023FDB16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
        Source: svchost.exe, 00000023.00000003.2576358259.0000023FDB16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
        Source: svchost.exe, 00000023.00000003.2576358259.0000023FDB16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
        Source: svchost.exe, 00000023.00000003.2576358259.0000023FDB16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
        Source: svchost.exe, 00000023.00000002.4004833132.0000023FDB85F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-DmywuhewAd5LFGly3FfW90wowG4
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
        Source: svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
        Source: svchost.exe, 00000023.00000003.2673565640.0000023FDB16D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576358259.0000023FDB16B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
        Source: svchost.exe, 00000023.00000002.4004637528.0000023FDB837000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf:
        Source: svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
        Source: svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfn
        Source: svchost.exe, 00000023.00000003.2673565640.0000023FDB16D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfsue1
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
        Source: svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805023
        Source: svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
        Source: svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806001
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600Issuer
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003744491.0000023FDAB02000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
        Source: svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806035
        Source: svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576119449.0000023FDB157000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&amp;fid=cp
        Source: svchost.exe, 00000023.00000002.4002959664.0000023FDAA52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2575618497.0000023FDB15A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
        Source: svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
        Source: svchost.exe, 00000023.00000003.2575547972.0000023FDB110000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003013697.0000023FDAA63000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
        Source: svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfsuer
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/resetpw.srf
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srf
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/retention.srfce
        Source: svchost.exe, 00000023.00000002.4004907867.0000023FDB874000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com:443/RST2.srf
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/MSARST2.srf?
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
        Source: svchost.exe, 00000023.00000002.4002959664.0000023FDAA52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf
        Source: svchost.exe, 00000023.00000003.2575547972.0000023FDB110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf:CLSID
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
        Source: svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srfuer
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
        Source: svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srfsuer
        Source: svchost.exe, 00000023.00000002.4002959664.0000023FDAA52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2575547972.0000023FDB110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
        Source: svchost.exe, 00000023.00000002.4002959664.0000023FDAA52000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srf
        Source: svchost.exe, 00000023.00000002.4002959664.0000023FDAA52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2575547972.0000023FDB110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
        Source: svchost.exe, 00000023.00000003.2575547972.0000023FDB110000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfRE
        Source: powershell.exe, 00000024.00000002.2694615872.0000000005A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
        Source: FastestVPN.exe, 00000021.00000002.4038415268.0000000009192000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://scripts.sil.org/OFL
        Source: FastestVPN.exe, 00000021.00000000.2556167856.0000000000B02000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://scripts.sil.org/OFLThis
        Source: FastestVPN.exe, 00000021.00000000.2556167856.0000000000B02000.00000002.00000001.01000000.00000010.sdmpString found in binary or memory: https://scripts.sil.org/OFLwww.rfuenzalida.comwww.fragtypefoundry.xyzRodrigo
        Source: ComDebug.exe, 00000030.00000003.3054344058.000001869CA96000.00000004.00000001.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002071785.000001869C150000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059189309.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058677131.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059676809.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059740054.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058777370.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059246630.000001869C311000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-164FL.tmp.1.dr, is-RE19F.tmp.1.dr, file_selector_windows_plugin.dll.48.dr, is-J64KK.tmp.1.drString found in binary or memory: https://sectigo.com/CPS0
        Source: svchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2575702483.0000023FDB155000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://signup.live.com/signup.aspx
        Source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp, is-H7LPP.tmp.1.dr, is-9VP29.tmp.1.dr, fastestvpndriver.sys.25.dr, is-5LPUL.tmp.1.drString found in binary or memory: https://www.digicert.com/CPS0
        Source: ComDebug.exe, 00000030.00000002.4002071785.000001869C150000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.comP/CPS
        Source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4037191355.0000000008DC7000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3024841016.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-9A2GQ.tmp.1.dr, is-164FL.tmp.1.dr, is-3DN0E.tmp.1.dr, is-RE19F.tmp.1.drString found in binary or memory: https://www.entrust.net/rpa0
        Source: FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.entrust.net/rpu
        Source: PVUfopbGfc.exe, 00000000.00000003.3123714779.0000000000A76000.00000004.00001000.00020000.00000000.sdmp, PVUfopbGfc.exe, 00000000.00000003.2126476328.0000000002790000.00000004.00001000.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.2131921729.00000000033C0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.fastestvpn.com/
        Source: PVUfopbGfc.exe, 00000000.00000003.2128223280.000000007FB7B000.00000004.00001000.00020000.00000000.sdmp, PVUfopbGfc.exe, 00000000.00000003.2127540219.0000000002790000.00000004.00001000.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000000.2129803767.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.innosetup.com/
        Source: FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.netlock.net/docs
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
        Source: FastestVPN.WindowsService.exe, 0000002F.00000002.4014983868.0000000003D02000.00000002.00000001.01000000.0000004E.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4014983868.0000000003D02000.00000002.00000001.01000000.0000004E.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
        Source: PVUfopbGfc.exe, 00000000.00000003.2128223280.000000007FB7B000.00000004.00001000.00020000.00000000.sdmp, PVUfopbGfc.exe, 00000000.00000003.2127540219.0000000002790000.00000004.00001000.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000000.2129803767.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: https://www.remobjects.com/ps
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, is-7E4EB.tmp.1.drString found in binary or memory: https://www.wireguard.com/donations/key
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, is-7E4EB.tmp.1.drString found in binary or memory: https://www.wireguard.com/initSpan:
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: &Configuration:,M3.2.0,M11.1.0/managerservice476837158203125: cannot parse <invalid Value>ASCII_Hex_DigitAbout WireGuardAddDllDirectoryAddresses: NoneCLSIDFromStringCallWindowProcWCreateHardLinkWCreatePopupMenuCreateWindowExWDeviceIoControlDialogBoxParamWDragAcceptFilesDrawThemeTextExDuplicateHandleExcludeClipRectFailed to find Failed to load FindNextVolumeWFindVolumeCloseFlushViewOfFileFwpmEngineOpen0FwpmFreeMemory0GdiplusShutdownGetActiveWindowGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetDpiForWindowGetEnhMetaFileWGetModuleHandleGetMonitorInfoWGetProcessTimesGetRawInputDataGetSecurityInfoGetStartupInfoWGetTextMetricsWGetThreadLocaleHanifi_RohingyaImpersonateSelfInsertMenuItemWInvalid key: %vIsWindowEnabledIsWindowVisibleIsWow64Process2NTSTATUS 0x%08xNotTrueTypeFontOleUninitializeOpenThreadTokenOther_LowercaseOther_UppercasePlayEnhMetaFilePostQuitMessageProcess32FirstWProfileNotFoundPsalter_PahlaviPublicKey = %smemstr_b0227baa-c
        Source: C:\Program Files\FastestVPN\FastestVPN.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-S7TFV.tmpJump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeFile created: C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\SETF8D5.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tap0901.cat (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-VU56I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\tap0901.cat (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-9VP29.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\tap0901.cat (copy)Jump to dropped file
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\SETFBC3.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\tap0901.cat (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-T2HN9.tmpJump to dropped file
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\tap0901.cat (copy)Jump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeFile created: C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\tap0901.cat (copy)Jump to dropped file

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Reads the Security eventlog
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\FastestVPNService
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
        Reads the System eventlog
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\FastestVPNService
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\Service1

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: C:\Program Files\FastestVPN\Resources\is-7E4EB.tmp, type: DROPPEDMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_10014000: ?nf_getDriverType@nfapi@@YAKXZ,EnterCriticalSection,LeaveCriticalSection,DeviceIoControl,LeaveCriticalSection,LeaveCriticalSection,26_2_10014000
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_100134A0 ?nf_unRegisterDriver@nfapi@@YA?AW4_NF_STATUS@@PBD@Z,OpenSCManagerA,OpenServiceA,DeleteService,GetLastError,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,SetLastError,26_2_100134A0
        Source: C:\Windows\System32\xcopy.exeFile created: C:\Windows\system32\drivers\fastestvpndriver.sys
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}Jump to behavior
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_6d4bec28a2ef0cdfJump to behavior
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\drvstore.tmpJump to behavior
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\inf\oem4.infJump to behavior
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SET586.tmpJump to behavior
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SET586.tmpJump to behavior
        Source: C:\Windows\System32\xcopy.exeFile created: C:\Windows\system32\drivers\fastestvpndriver.sys
        Source: C:\Windows\System32\svchost.exeFile created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
        Source: C:\Windows\System32\drvinst.exeFile deleted: C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\SETFB65.tmpJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C452E010_2_00007FF798C452E0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C441D010_2_00007FF798C441D0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C659DC10_2_00007FF798C659DC
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C89BC010_2_00007FF798C89BC0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C63C8C10_2_00007FF798C63C8C
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7BD1810_2_00007FF798C7BD18
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C73F1410_2_00007FF798C73F14
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C63F1010_2_00007FF798C63F10
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7E0B010_2_00007FF798C7E0B0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C8A07010_2_00007FF798C8A070
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C4B1FC10_2_00007FF798C4B1FC
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C8D16810_2_00007FF798C8D168
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C8115410_2_00007FF798C81154
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C6515010_2_00007FF798C65150
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C413E010_2_00007FF798C413E0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C8115410_2_00007FF798C81154
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C6543010_2_00007FF798C65430
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C896F010_2_00007FF798C896F0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C656FC10_2_00007FF798C656FC
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C8292010_2_00007FF798C82920
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C64B7C10_2_00007FF798C64B7C
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C64E5C10_2_00007FF798C64E5C
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C4703010_2_00007FF798C47030
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C641AC10_2_00007FF798C641AC
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C8216010_2_00007FF798C82160
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C922DC10_2_00007FF798C922DC
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7E0B010_2_00007FF798C7E0B0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C883E410_2_00007FF798C883E4
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C8434010_2_00007FF798C84340
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C6443010_2_00007FF798C64430
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C866E810_2_00007FF798C866E8
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C6469810_2_00007FF798C64698
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7264010_2_00007FF798C72640
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7E81010_2_00007FF798C7E810
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C8A7C010_2_00007FF798C8A7C0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7C73810_2_00007FF798C7C738
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C6491410_2_00007FF798C64914
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_0040292026_2_00402920
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_00404DDB26_2_00404DDB
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_1000206026_2_10002060
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_1000A0A026_2_1000A0A0
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_10009A8126_2_10009A81
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_10005C6026_2_10005C60
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_1000BD2126_2_1000BD21
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_1000162026_2_10001620
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F3336630_2_04F33366
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F338B430_2_04F338B4
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05BD712E33_2_05BD712E
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05BD701A33_2_05BD701A
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05BD6E5833_2_05BD6E58
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05F82FE233_2_05F82FE2
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05F83C1A33_2_05F83C1A
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_062B490033_2_062B4900
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_062B5CD633_2_062B5CD6
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C26479933_2_0C264799
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C26317E33_2_0C26317E
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C26305A33_2_0C26305A
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C285D0B33_2_0C285D0B
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C2826E833_2_0C2826E8
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C28BB5933_2_0C28BB59
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C2F5C5233_2_0C2F5C52
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0134382833_2_01343828
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_065356C033_2_065356C0
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0653B09033_2_0653B090
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_06537B3033_2_06537B30
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_06530D1833_2_06530D18
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_06530D2833_2_06530D28
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0653BA9733_2_0653BA97
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0BA4680833_2_0BA46808
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0BA4730733_2_0BA47307
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C2DCCE033_2_0C2DCCE0
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C2DBFC033_2_0C2DBFC0
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C2D406033_2_0C2D4060
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C2D809833_2_0C2D8098
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C2DC41033_2_0C2DC410
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_0455A52036_2_0455A520
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_0455ADF036_2_0455ADF0
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 36_2_0455A1D836_2_0455A1D8
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 42_2_02605F4842_2_02605F48
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 42_2_02605F3842_2_02605F38
        Source: C:\Program Files\FastestVPN\subinacl.exeCode function: 43_2_010383F643_2_010383F6
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_03723D9F47_2_03723D9F
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_0372699C47_2_0372699C
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_03AC598847_2_03AC5988
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_03AC5F9F47_2_03AC5F9F
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_03B876B747_2_03B876B7
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_03C1571D47_2_03C1571D
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_03C9398647_2_03C93986
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_03D0327647_2_03D03276
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_03D0699847_2_03D06998
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_03D033B947_2_03D033B9
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_03CB251847_2_03CB2518
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_03D05D9D47_2_03D05D9D
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6CB27048_2_00007FF6DB6CB270
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6C225C48_2_00007FF6DB6C225C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6CE33048_2_00007FF6DB6CE330
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6B422048_2_00007FF6DB6B4220
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6C51CC48_2_00007FF6DB6C51CC
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6C607848_2_00007FF6DB6C6078
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6CF8F048_2_00007FF6DB6CF8F0
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6B5F6048_2_00007FF6DB6B5F60
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6CD71848_2_00007FF6DB6CD718
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6C9EF848_2_00007FF6DB6C9EF8
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6B5EF048_2_00007FF6DB6B5EF0
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6C1D8448_2_00007FF6DB6C1D84
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6D0E2048_2_00007FF6DB6D0E20
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6D25FC48_2_00007FF6DB6D25FC
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A842095848_2_00007FF8A8420958
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A83F11C048_2_00007FF8A83F11C0
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84081A848_2_00007FF8A84081A8
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A842899848_2_00007FF8A8428998
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A842D9A448_2_00007FF8A842D9A4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A842627048_2_00007FF8A8426270
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A842A20448_2_00007FF8A842A204
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A83F32B848_2_00007FF8A83F32B8
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A83F9A8048_2_00007FF8A83F9A80
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A842F3D448_2_00007FF8A842F3D4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A842FBA848_2_00007FF8A842FBA8
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84154F448_2_00007FF8A84154F4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A843AC9448_2_00007FF8A843AC94
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8435CAC48_2_00007FF8A8435CAC
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84214B448_2_00007FF8A84214B4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A840750448_2_00007FF8A8407504
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A842058848_2_00007FF8A8420588
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A83EED8048_2_00007FF8A83EED80
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A842BD7C48_2_00007FF8A842BD7C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84306D848_2_00007FF8A84306D8
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A842077048_2_00007FF8A8420770
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8435F2848_2_00007FF8A8435F28
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A83F47D048_2_00007FF8A83F47D0
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8420FA048_2_00007FF8A8420FA0
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A843005848_2_00007FF8A8430058
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A83F2FFC48_2_00007FF8A83F2FFC
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A843503048_2_00007FF8A8435030
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84220F048_2_00007FF8A84220F0
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84C39F448_2_00007FF8A84C39F4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84C719448_2_00007FF8A84C7194
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84C218848_2_00007FF8A84C2188
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84A199848_2_00007FF8A84A1998
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84A0CF448_2_00007FF8A84A0CF4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84C54E048_2_00007FF8A84C54E0
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84AECE448_2_00007FF8A84AECE4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84CF49C48_2_00007FF8A84CF49C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84CF71848_2_00007FF8A84CF718
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A848282048_2_00007FF8A8482820
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84BB8E048_2_00007FF8A84BB8E0
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A852D95048_2_00007FF8A852D950
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A851512048_2_00007FF8A8515120
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A852A1D048_2_00007FF8A852A1D0
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A853399848_2_00007FF8A8533998
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A853A99C48_2_00007FF8A853A99C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A85292A448_2_00007FF8A85292A4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A852B28848_2_00007FF8A852B288
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A853331848_2_00007FF8A8533318
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A853231C48_2_00007FF8A853231C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8530C6448_2_00007FF8A8530C64
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A853BC4048_2_00007FF8A853BC40
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8529CBC48_2_00007FF8A8529CBC
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A852948C48_2_00007FF8A852948C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8532E6848_2_00007FF8A8532E68
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A852967448_2_00007FF8A8529674
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A851869048_2_00007FF8A8518690
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A852B78C48_2_00007FF8A852B78C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8519F9048_2_00007FF8A8519F90
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8538F9048_2_00007FF8A8538F90
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8537F9448_2_00007FF8A8537F94
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A852F03C48_2_00007FF8A852F03C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A853588448_2_00007FF8A8535884
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A853D08C48_2_00007FF8A853D08C
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeProcess token adjusted: Load DriverJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess token adjusted: SecurityJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: String function: 1000A044 appears 35 times
        Source: C:\Program Files\FastestVPN\subinacl.exeCode function: String function: 0103E03C appears 110 times
        Source: C:\Program Files\FastestVPN\subinacl.exeCode function: String function: 0103E368 appears 75 times
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: String function: 00007FF798C781A8 appears 48 times
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1532 -ip 1532
        Source: PVUfopbGfc.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: is-9JV4C.tmp.1.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
        Source: PVUfopbGfc.exe, 00000000.00000000.2126187053.00000000004B9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFileName vs PVUfopbGfc.exe
        Source: PVUfopbGfc.exe, 00000000.00000003.2128223280.000000007FE2E000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs PVUfopbGfc.exe
        Source: PVUfopbGfc.exe, 00000000.00000003.2127540219.0000000002862000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFileName vs PVUfopbGfc.exe
        Source: PVUfopbGfc.exeBinary or memory string: OriginalFileName vs PVUfopbGfc.exe
        Source: PVUfopbGfc.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg Query "HKLM\Hardware\Description\System\CentralProcessor\0"
        Source: C:\Program Files\FastestVPN\Resources\is-7E4EB.tmp, type: DROPPEDMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
        Source: is-DP0EK.tmp.1.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
        Source: is-5LPUL.tmp.1.drBinary string: seclevelZwQueryInformationProcessdisabledcallouts\DosDevices\CtrlSM\Device\CtrlSM\Registry\Machine\SYSTEM\ControlSet001\services\webssxFlow Established CalloutNFSDK Flow Established CalloutStream CalloutNFSDK Stream Callout\Registry\Machine\SYSTEM\ControlSet001\services\%samoncdw7amoncdw8symnetsnisdrvNFSDK Recv SublayerIPNFSDK Recv SublayerPROTNFSDK Recv SublayerNFSDK Sublayeracsockaswstmepfwwfprepfwwfpbdfwfpf_pcfsniklwfpswi_calloutNFSDK Provider
        Source: fastestvpndriver.sys.25.drBinary string: \Device\CtrlSM
        Source: classification engineClassification label: mal54.troj.spyw.expl.evad.winEXE@78/368@1/1
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C452E0 CharNextW,CharNextW,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,InitiateSystemShutdownExW,10_2_00007FF798C452E0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C44D80 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,InitiateSystemShutdownExW,10_2_00007FF798C44D80
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_100139D0 ?nf_adjustProcessPriviledges@nfapi@@YAXXZ,GetCurrentProcessId,OpenProcess,OpenProcessToken,CloseHandle,LookupPrivilegeValueA,CloseHandle,CloseHandle,AdjustTokenPrivileges,CloseHandle,CloseHandle,CloseHandle,26_2_100139D0
        Source: C:\Program Files\FastestVPN\subinacl.exeCode function: 43_2_0101CA79 LookupPrivilegeValueW,AdjustTokenPrivileges,PrivilegeCheck,GetLastError,_CxxThrowException,43_2_0101CA79
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: OpenSCManagerA,CreateServiceW,CloseServiceHandle,GetLastError,GetLastError,OpenServiceA,QueryServiceStatus,StartServiceA,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,26_2_10013540
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6B58A0 LoadCursorW,GetModuleHandleW,LoadIconW,RegisterClassW,MonitorFromPoint,FlutterDesktopGetDpiForMonitor,GetModuleHandleW,CreateWindowExW,CoCreateInstance,48_2_00007FF6DB6B58A0
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_10013540 OpenSCManagerA,CreateServiceW,CloseServiceHandle,GetLastError,GetLastError,OpenServiceA,QueryServiceStatus,StartServiceA,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,26_2_10013540
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_00F513E8 StartServiceCtrlDispatcherW,47_2_00F513E8
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 47_2_00F513E2 StartServiceCtrlDispatcherW,47_2_00F513E2
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPNJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Users\Public\Desktop\FastestVPN.lnkJump to behavior
        Source: C:\Windows\System32\drvinst.exeMutant created: \BaseNamedObjects\DrvInst.exe_mutex_{5B10AC83-4F13-4fde-8C0B-B85681BA8D73}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5804:120:WilError_03
        Source: C:\Program Files\FastestVPN\FastestVPN.exeMutant created: NULL
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4036:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1080:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:576:120:WilError_03
        Source: C:\Program Files\FastestVPN\FastestVPN.exeMutant created: \Sessions\1\BaseNamedObjects\F7ADS2TDE9SFT7VCP4NAF2A1S4TAE7S8TBVDPEN5FAA3S0T3EFS6T1V4PDN4F8user
        Source: C:\Program Files\FastestVPN\FastestVPN.exeMutant created: \Sessions\1\BaseNamedObjects\Global\8C9EED5B-604B-4700-866A-6A9606527CC6
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6784:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5084:120:WilError_03
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
        Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1532
        Source: C:\Users\user\Desktop\PVUfopbGfc.exeFile created: C:\Users\user\AppData\Local\Temp\is-M67KL.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\FastestVPN\Resources\driver\install_tap.bat""
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCommand line argument: nfregdvr26_2_00401050
        Source: C:\Users\user\Desktop\PVUfopbGfc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\Desktop\PVUfopbGfc.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile read: C:\Program Files\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\PVUfopbGfc.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
        Source: PVUfopbGfc.exeReversingLabs: Detection: 21%
        Source: tapinstall.exeString found in binary or memory: itioned on the newly-added filter. ! Deletes the next occurrence of the specified filter. When the subcommand
        Source: tapinstall.exeString found in binary or memory: of the list. When the subcommand completes, the cursor is positioned on the newly-added filter. + Add after. I
        Source: FastestVPN.WindowsService.exeString found in binary or memory: registerHubProxies(proxies, true); this._registerSubscribedHubs(); }).disconnected(function () { // Unsubscribe all hub proxies when we "disconnect". This is to ensure that we do not re-add functional call backs.
        Source: FastestVPN.WindowsService.exeString found in binary or memory: /installtunnelservice "
        Source: PVUfopbGfc.exeString found in binary or memory: /LOADINF="filename"
        Source: C:\Users\user\Desktop\PVUfopbGfc.exeFile read: C:\Users\user\Desktop\PVUfopbGfc.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\PVUfopbGfc.exe "C:\Users\user\Desktop\PVUfopbGfc.exe"
        Source: C:\Users\user\Desktop\PVUfopbGfc.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp "C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp" /SL5="$10438,20382094,735744,C:\Users\user\Desktop\PVUfopbGfc.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\FastestVPN\Resources\driver\install_tap.bat""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg Query "HKLM\Hardware\Description\System\CentralProcessor\0"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "x86"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ver
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe tapinstall.exe remove tap0901
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe tapinstall.exe install OemVista.inf tap0901
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "c:\program files\fastestvpn\resources\driver\windows10\amd64"
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.2.601:tap0901," "4d14a44ff" "0000000000000158"
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\FastestVPN\Resources\sp\install_sp.bat""
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop fastestvpndriver
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg Query "HKLM\Hardware\Description\System\CentralProcessor\0"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "x86"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "Windows 7"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /y driver\windows8\amd64\fastestvpndriver.sys C:\Windows\system32\drivers
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exe release\nfregdrv.exe -u fastestvpndriver
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exe release\nfregdrv.exe fastestvpndriver
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop FastestVPNService
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe "C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe" --uninstall
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1532 -ip 1532
        Source: unknownProcess created: C:\Program Files\FastestVPN\FastestVPN.exe "C:\Program Files\FastestVPN\FastestVPN.exe" -autorun
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1076
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
        Source: C:\Windows\System32\drvinst.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" delete FastestVPNService
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe "C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe" --install
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Program Files\FastestVPN\subinacl.exe "C:\Program Files\FastestVPN\subinacl.exe" /service FastestVPNService /GRANT=everyone=TO
        Source: C:\Program Files\FastestVPN\subinacl.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start FastestVPNService
        Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe "C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe"
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Program Files\FastestVPN\Resources\ComDebug.exe "C:\Program Files\FastestVPN\Resources\ComDebug.exe"
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
        Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Program Files\FastestVPN\FastestVPN.exe "C:\Program Files\FastestVPN\FastestVPN.exe"
        Source: C:\Users\user\Desktop\PVUfopbGfc.exeProcess created: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp "C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp" /SL5="$10438,20382094,735744,C:\Users\user\Desktop\PVUfopbGfc.exe" Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\FastestVPN\Resources\driver\install_tap.bat""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\FastestVPN\Resources\sp\install_sp.bat""Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" stop FastestVPNServiceJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe "C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe" --uninstallJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" delete FastestVPNServiceJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe "C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe" --installJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Program Files\FastestVPN\subinacl.exe "C:\Program Files\FastestVPN\subinacl.exe" /service FastestVPNService /GRANT=everyone=TOJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Windows\System32\sc.exe "C:\Windows\system32\sc.exe" start FastestVPNServiceJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Program Files\FastestVPN\Resources\ComDebug.exe "C:\Program Files\FastestVPN\Resources\ComDebug.exe"Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess created: C:\Program Files\FastestVPN\FastestVPN.exe "C:\Program Files\FastestVPN\FastestVPN.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "x86" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe tapinstall.exe remove tap0901Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe tapinstall.exe install OemVista.inf tap0901Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "c:\program files\fastestvpn\resources\driver\windows10\amd64"Jump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\System32\drvinst.exe DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.2.601:tap0901," "4d14a44ff" "0000000000000158"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop fastestvpndriverJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "x86" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "Windows 7" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /y driver\windows8\amd64\fastestvpndriver.sys C:\Windows\system32\driversJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exe release\nfregdrv.exe -u fastestvpndriverJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exe release\nfregdrv.exe fastestvpndriverJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1532 -ip 1532
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1076
        Source: C:\Windows\SysWOW64\WerFault.exeProcess created: unknown unknown
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
        Source: C:\Users\user\Desktop\PVUfopbGfc.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\Desktop\PVUfopbGfc.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: mpr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: version.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: winhttp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: uxtheme.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: wtsapi32.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: winsta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: textinputframework.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: coremessaging.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: ntmarta.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: wintypes.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: shfolder.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: rstrtmgr.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: ncrypt.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: ntasn1.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: textshaping.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: msftedit.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: windows.globalization.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: bcp47langs.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: bcp47mrm.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: globinputhost.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: windows.ui.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: windowmanagementapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: inputhost.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: twinapi.appcore.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: propsys.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: dwmapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: windows.storage.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: wldp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: sspicli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: explorerframe.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: sfc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: sfc_os.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: profapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: linkinfo.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: ntshrui.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: srvcli.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: cscapi.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: apphelp.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpSection loaded: netutils.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\find.exeSection loaded: ulib.dllJump to behavior
        Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: devrtl.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: spinf.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: drvstore.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: newdev.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: umpnpmgr.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: devrtl.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: msasn1.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: rsaenh.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: cryptbase.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: gpapi.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: devrtl.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: drvstore.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: devobj.dllJump to behavior
        Source: C:\Windows\System32\drvinst.exeSection loaded: cabinet.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netsetupsvc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netsetupapi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: netsetupengine.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: implatsetup.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: devrtl.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: spinf.dllJump to behavior
        Source: C:\Windows\System32\svchost.exeSection loaded: drvstore.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: cmdext.dllJump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
        Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
        Source: C:\Windows\System32\find.exeSection loaded: ulib.dll
        Source: C:\Windows\System32\find.exeSection loaded: fsutilext.dll
        Source: C:\Windows\System32\xcopy.exeSection loaded: ulib.dll
        Source: C:\Windows\System32\xcopy.exeSection loaded: ifsutil.dll
        Source: C:\Windows\System32\xcopy.exeSection loaded: devobj.dll
        Source: C:\Windows\System32\xcopy.exeSection loaded: fsutilext.dll
        Source: C:\Windows\System32\xcopy.exeSection loaded: ntmarta.dll
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeSection loaded: apphelp.dll
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeSection loaded: nfapi.dll
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeSection loaded: nfapi.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: mscoree.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: apphelp.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: kernel.appcore.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: version.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: windows.storage.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: wldp.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: profapi.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: cryptsp.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: rsaenh.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wersvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: windowsperformancerecordercontrol.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: weretw.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: faultrep.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dbghelp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dbgcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wer.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: mscoree.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: apphelp.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: kernel.appcore.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: version.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: uxtheme.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: cryptsp.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: rsaenh.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: cryptbase.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: dwrite.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: msvcp140_clr0400.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: sspicli.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: mswsock.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: windows.storage.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: wldp.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: profapi.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: dwmapi.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: d3d9.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: d3d10warp.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: urlmon.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: iertutil.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: srvcli.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: netutils.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: windowscodecs.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: wtsapi32.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: winsta.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: powrprof.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: umpdc.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: dataexchange.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: d3d11.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: dcomp.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: dxgi.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: twinapi.appcore.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: dxcore.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: textshaping.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: textinputframework.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: coreuicomponents.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: coremessaging.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: ntmarta.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: coremessaging.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: wintypes.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: wintypes.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: wintypes.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: msctfui.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: uiautomationcore.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: propsys.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: d3dcompiler_47.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: winmm.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: msasn1.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: riched20.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: usp10.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: msls31.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: gpapi.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: cryptnet.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: iphlpapi.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: winnsi.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: winhttp.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: dhcpcsvc.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: webio.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: dnsapi.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: rasadhlp.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: fwpuclnt.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: wbemcomn.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: amsi.dll
        Source: C:\Program Files\FastestVPN\FastestVPN.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wlidsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: clipc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msxml6.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wtsapi32.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winsta.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: gamestreamingext.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msauserext.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: tbs.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptnet.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptngc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptprov.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: elscore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: elstrans.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: napinsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: pnrpnsp.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshbth.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: nlaapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mswsock.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dnsapi.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: winrnr.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: qmgr.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsperf.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: firewallapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: esent.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netprofm.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsigd.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: upnp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ssdpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: urlmon.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: srvcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: netutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptbase.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmauto.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: miutils.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wsmsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: pcwum.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: wkscli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: webio.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: winnsi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: usermgrcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: coremessaging.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: twinapi.appcore.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: resourcepolicyclient.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: vssapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: vsstrace.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: samcli.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: samlib.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: es.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: bitsproxy.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ondemandconnroutehelper.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc6.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dhcpcsvc.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: schannel.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mskeyprotect.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ntasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncrypt.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: ncryptsslp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: msasn1.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: rsaenh.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: dpapi.dll
        Source: C:\Windows\System32\svchost.exeSection loaded: mpr.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: mscoree.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: kernel.appcore.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: version.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: windows.storage.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: wldp.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: profapi.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: cryptsp.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: rsaenh.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: cryptbase.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: urlmon.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: iertutil.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: srvcli.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: netutils.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: sspicli.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: propsys.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: msasn1.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: riched20.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: usp10.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: msls31.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: gpapi.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: apphelp.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: mfc42u.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: msvcirt.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: msvcp60.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: version.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: netapi32.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: mpr.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: clusapi.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: samlib.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: dnsapi.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: srvcli.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: netutils.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: logoncli.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: samcli.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: iphlpapi.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: kernel.appcore.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: uxtheme.dll
        Source: C:\Program Files\FastestVPN\subinacl.exeSection loaded: ntmarta.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: mscoree.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: kernel.appcore.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: version.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: vcruntime140_clr0400.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: ucrtbase_clr0400.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: windows.storage.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: wldp.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: profapi.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: mswsock.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: cryptsp.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: rsaenh.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: cryptbase.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: iphlpapi.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: httpapi.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: urlmon.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: iertutil.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: srvcli.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: netutils.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: sspicli.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: propsys.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: dnsapi.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: rasadhlp.dll
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeSection loaded: fwpuclnt.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: desktop_drop_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: desktop_multi_window_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: file_selector_windows_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_custom_cursor_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_gpu_texture_renderer_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: screen_retriever_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: texture_rgba_renderer_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: uni_links_desktop_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: url_launcher_windows_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: window_manager_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: window_size_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_windows.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_windows.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: url_launcher_windows_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: window_size_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: texture_rgba_renderer_plugin.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_windows.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: dwmapi.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_windows.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_windows.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_windows.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_windows.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_windows.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_windows.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_windows.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_windows.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: dwmapi.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: flutter_windows.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: iphlpapi.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: winmm.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: opengl32.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: oleacc.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: uiautomationcore.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: propsys.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: dxgi.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: d3d9.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: glu32.dll
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeSection loaded: propsys.dll
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpWindow found: window name: TMainFormJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Install
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: Next
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpAutomated click: I accept the agreement
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile opened: C:\Windows\SysWOW64\MSFTEDIT.DLLJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Terms of ServiceThis is an agreement between you and FastestVPN.com for virtual private network communications services related services and features. It is NOT a service for the commission of criminal acts. It is an anonymity and privacy service. You agree not to violate any laws of any jurisdiction you are originating from or terminating into.You agree to protect your user id/password and our system from unauthorized use. You are responsible for all actions that occur on our servers where the login uses your user id/password.You agree not to use the system for sending spam port scanning scanning for open proxies or open relays sending opt-in email unsolicited email or any type or version of email sent in large quantities even if the email is ultimately sent off of another server. You agree not to launch any pop-ups from our service. You agree not to attack in any way shape or form any other computer or network while on our service.Actual service coverage speeds locations and quality may vary. The Service will attempt to be available at all times except for limited periods for maintenance and repair. However the Service may be subject to unavailability for a variety of factors beyond our control including emergencies third party service failures transmission equipment or network problems or limitations interference signal strength and may be interrupted refused limited or curtailed. We are not responsible for data messages or pages lost not delivered delayed or misdirected because of interruptions or performance issues with the Service or communications services or networks (e.g. T-1 lines or the Internet). We may impose usage or Service limits suspend Service or block certain kinds of usage in our sole discretion to protect users or the Service. Network speed is an estimate and is no indication of the speed at which your or the Service sends or receives data. Actual network speed will vary based on configuration compression network congestion and other factors. The accuracy and timeliness of data received is not guaranteed; delays or omissions may occur.We do not log any user activity (sites visited DNS lookups emails etc.) We only log access attempts to our servers (for security and troubleshooting). We do not get involved in any form of censorship. We do not give your personal info to any third parties. We do not cooperate with any requests for information unless we are ordered by a court of competent jurisdiction and the vast majority of these requests would not be from a court of competent jurisdiction. We will protect you to the max and our system is setup to automatically do so. There are hundreds of good reasons for being anonymous and we respect them fully.Hacking cracking distribution of viruses fraudulent activities network sa
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Terms of ServiceThis is an agreement between you and FastestVPN.com for virtual private network communications services related services and features. It is NOT a service for the commission of criminal acts. It is an anonymity and privacy service. You agree not to violate any laws of any jurisdiction you are originating from or terminating into.You agree to protect your user id/password and our system from unauthorized use. You are responsible for all actions that occur on our servers where the login uses your user id/password.You agree not to use the system for sending spam port scanning scanning for open proxies or open relays sending opt-in email unsolicited email or any type or version of email sent in large quantities even if the email is ultimately sent off of another server. You agree not to launch any pop-ups from our service. You agree not to attack in any way shape or form any other computer or network while on our service.Actual service coverage speeds locations and quality may vary. The Service will attempt to be available at all times except for limited periods for maintenance and repair. However the Service may be subject to unavailability for a variety of factors beyond our control including emergencies third party service failures transmission equipment or network problems or limitations interference signal strength and may be interrupted refused limited or curtailed. We are not responsible for data messages or pages lost not delivered delayed or misdirected because of interruptions or performance issues with the Service or communications services or networks (e.g. T-1 lines or the Internet). We may impose usage or Service limits suspend Service or block certain kinds of usage in our sole discretion to protect users or the Service. Network speed is an estimate and is no indication of the speed at which your or the Service sends or receives data. Actual network speed will vary based on configuration compression network congestion and other factors. The accuracy and timeliness of data received is not guaranteed; delays or omissions may occur.We do not log any user activity (sites visited DNS lookups emails etc.) We only log access attempts to our servers (for security and troubleshooting). We do not get involved in any form of censorship. We do not give your personal info to any third parties. We do not cooperate with any requests for information unless we are ordered by a court of competent jurisdiction and the vast majority of these requests would not be from a court of competent jurisdiction. We will protect you to the max and our system is setup to automatically do so. There are hundreds of good reasons for being anonymous and we respect them fully.Hacking cracking distribution of viruses fraudulent activities network sa
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpWindow detected: License AgreementPlease read the following important information before continuing.Please read the following License Agreement. You must accept the terms of this agreement before continuing with the installation.Terms of ServiceThis is an agreement between you and FastestVPN.com for virtual private network communications services related services and features. It is NOT a service for the commission of criminal acts. It is an anonymity and privacy service. You agree not to violate any laws of any jurisdiction you are originating from or terminating into.You agree to protect your user id/password and our system from unauthorized use. You are responsible for all actions that occur on our servers where the login uses your user id/password.You agree not to use the system for sending spam port scanning scanning for open proxies or open relays sending opt-in email unsolicited email or any type or version of email sent in large quantities even if the email is ultimately sent off of another server. You agree not to launch any pop-ups from our service. You agree not to attack in any way shape or form any other computer or network while on our service.Actual service coverage speeds locations and quality may vary. The Service will attempt to be available at all times except for limited periods for maintenance and repair. However the Service may be subject to unavailability for a variety of factors beyond our control including emergencies third party service failures transmission equipment or network problems or limitations interference signal strength and may be interrupted refused limited or curtailed. We are not responsible for data messages or pages lost not delivered delayed or misdirected because of interruptions or performance issues with the Service or communications services or networks (e.g. T-1 lines or the Internet). We may impose usage or Service limits suspend Service or block certain kinds of usage in our sole discretion to protect users or the Service. Network speed is an estimate and is no indication of the speed at which your or the Service sends or receives data. Actual network speed will vary based on configuration compression network congestion and other factors. The accuracy and timeliness of data received is not guaranteed; delays or omissions may occur.We do not log any user activity (sites visited DNS lookups emails etc.) We only log access attempts to our servers (for security and troubleshooting). We do not get involved in any form of censorship. We do not give your personal info to any third parties. We do not cooperate with any requests for information unless we are ordered by a court of competent jurisdiction and the vast majority of these requests would not be from a court of competent jurisdiction. We will protect you to the max and our system is setup to automatically do so. There are hundreds of good reasons for being anonymous and we respect them fully.Hacking cracking distribution of viruses fraudulent activities network sa
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPNJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\unins000.datJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-9JV4C.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-FACJA.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-G27S6.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-36FVS.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-QRV6K.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-84KDK.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-VFKAQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-H78VV.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-7C1Q1.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-F4TDL.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-NVD5U.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-DP0EK.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-IPV6B.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-INOQ4.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-5F0FB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-08KKK.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-L76N9.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-28BDQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-08UCO.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-K8EEM.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-Q3SSJ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-7F3NE.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-2E77U.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-HV7DI.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-0QPA2.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-6DFPP.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-T0PEK.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-MSFM2.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-TM4NE.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-16JBJ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-0UVIJ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-G1K0R.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-3DN0E.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-54TNI.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-MVU9I.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-VG3QN.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-4DL4Q.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-ESVSH.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-A12DA.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-UCN4E.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-36F8B.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-QT2D6.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-FKERI.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-L7KIN.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-HLUIP.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-VPRG9.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-20AM3.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-BPNEB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\ResourcesJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-6P3FR.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-O850J.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-6VF2K.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-Q6LK1.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-PN3F9.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-9JICR.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-7ILAT.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-CK5KH.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-QL74S.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-T26NQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-3J4SO.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-J64KK.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-83O8B.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-8LAO7.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-KM19Q.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-VFSD2.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-8JVLF.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-DN2OR.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-SGO7U.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-PA9AI.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-O73C0.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-Q54OD.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-1EFGP.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-RV0DT.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-164FL.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-28E9M.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-56J26.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-LOLBQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-VIT86.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-G9QJE.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-942TQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-B80D1.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-N1V1C.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-FJOGB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-RE19F.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\is-7E4EB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\dataJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\data\is-ADGAV.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\data\is-0H0F8.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\data\is-H10ET.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\data\is-ARL0G.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driverJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\is-CHAOM.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\is-AOAIR.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windowsJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-N9GRR.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-IKS87.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-9VP29.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-BL4HS.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-HFF22.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-PB0U9.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-IVL3H.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-5T7N4.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-T2HN9.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-QQCFD.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-L35S6.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-03F1A.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-0NNL9.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-CTGSB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-S7TFV.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-7ND37.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-H7LPP.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-65EPS.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-QFN6K.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-M223I.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-VU56I.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-K6RGO.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-U2LBU.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-SFHT4.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\spJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\is-EAH1B.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\is-BC6TM.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driverJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\amd64Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\amd64\is-59VFL.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\i386Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\i386\is-5LPUL.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\amd64Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\amd64\is-A14JT.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\i386Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\i386\is-0T1HF.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\releaseJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\release\is-7K05F.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Resources\sp\release\is-187AR.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\ServiceJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-STPBV.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-9A2GQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-JH357.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-N8COH.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-4N4RA.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-SEDKF.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-8PJAJ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-93OID.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-DJ6NL.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-8LP97.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-UCOLB.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-DEAN7.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-JCMQP.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-6NKFQ.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-BOM98.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-SAAPO.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-KPJ2D.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-7NCSV.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-KR8E2.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-9CU0N.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-C2DGA.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-UPKPF.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\Service\is-0C2FG.tmpJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDirectory created: C:\Program Files\FastestVPN\is-HFT6T.tmpJump to behavior
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeDirectory created: C:\Program Files\FastestVPN\Service\InstallUtil.InstallLog
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeDirectory created: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.InstallLog
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeDirectory created: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.InstallState
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FastestVPN_is1Jump to behavior
        Source: PVUfopbGfc.exeStatic PE information: certificate valid
        Source: PVUfopbGfc.exeStatic file information: File size 21250384 > 1048576
        Source: PVUfopbGfc.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
        Source: Binary string: System.Configuration.Install.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3011958094.0000000002A96000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: ceProcess.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000C0D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4006176311.0000000001527000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4047258906.000000000C262000.00000002.00000001.01000000.0000002E.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.WindowsService\obj\Release\FastestVPN.WindowsService.pdbX source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.AspNet.SignalR.Core/Release/net45/Microsoft.AspNet.SignalR.Core.pdb@ source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\Users\samuli\source\repos\tap-windows6\devcon\x64\Release\devcon.pdb source: tapinstall.exe, 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmp, tapinstall.exe, 0000000A.00000000.2467264537.00007FF798C94000.00000002.00000001.01000000.00000008.sdmp, tapinstall.exe, 0000000B.00000000.2472764567.00007FF798C94000.00000002.00000001.01000000.00000008.sdmp, tapinstall.exe, 0000000B.00000002.2531778440.00007FF798C94000.00000002.00000001.01000000.00000008.sdmp, is-H7LPP.tmp.1.dr
        Source: Binary string: mTC:\Windows\FastestVPN.WindowsService.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: C:\BuildAgent\work\da2c3d9512902c54\Tooling\obj\Release\System.Web.Cors\System.Web.Cors.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4012901383.0000000003B72000.00000002.00000001.01000000.00000049.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.WindowsService\obj\Release\FastestVPN.WindowsService.pdbe\FastestVPN.WindowsServic source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN\obj\Debug\VPN.pdbB3\3 N3_CorDllMainmscoree.dll source: FastestVPN.WindowsService.exe, 0000002F.00000002.4013966396.0000000003C42000.00000002.00000001.01000000.0000004B.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.Common\obj\Debug\VPN.Common.pdb source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000001E.00000002.3012856544.0000000004F32000.00000002.00000001.01000000.0000000F.sdmp
        Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4047412647.000000000C282000.00000002.00000001.01000000.0000002F.sdmp, is-3DN0E.tmp.1.dr
        Source: Binary string: /_/artifacts/obj/Microsoft.AspNet.SignalR.Core/Release/net45/Microsoft.AspNet.SignalR.Core.pdb@\cq^/_/artifacts/obj/Microsoft.AspNet.SignalR.Core/Release/net45/Microsoft.AspNet.SignalR.Core.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\Windows\FastestVPN.WindowsService.pdbpdbice.pdb35 source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.AspNet.SignalR.Core/Release/net45/Microsoft.AspNet.SignalR.Core.pdbSHA256Z source: FastestVPN.WindowsService.exe, 0000001E.00000002.3013228401.0000000005312000.00000002.00000001.01000000.0000000E.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\exe\FastestVPN.WindowsService.pdbesm source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Microsoft.Owin.Cors.pdbSHA256 source: FastestVPN.WindowsService.exe, 0000002F.00000002.4012410200.0000000003B52000.00000002.00000001.01000000.00000047.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.AspNet.SignalR.Core.pdbJ source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.00000000008A8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: E:\nt\dnsrv\sdktools\reskit\content\subinacl\source\obj\i386\subinacl.pdb source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, subinacl.exe, subinacl.exe, 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, subinacl.exe, 0000002B.00000000.3029456952.0000000001001000.00000020.00000001.01000000.00000032.sdmp
        Source: Binary string: Microsoft.Owin.Cors.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4012410200.0000000003B52000.00000002.00000001.01000000.00000047.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.Common\obj\Release\FastestVPN.Common.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4009855225.0000000003722000.00000002.00000001.01000000.00000033.sdmp
        Source: Binary string: Microsoft.Owin.Diagnostics.pdbSHA256 source: FastestVPN.WindowsService.exe, 0000002F.00000002.4013460664.0000000003C12000.00000002.00000001.01000000.00000048.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN\obj\Debug\VPN.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4013966396.0000000003C42000.00000002.00000001.01000000.0000004B.sdmp
        Source: Binary string: C:\users\vagrant\buildbot\windows-server-2019-static-msbuild\openvpn\x64-Output\Release\openvpn.pdbttLnGCTL source: is-164FL.tmp.1.dr
        Source: Binary string: c:\Users\Junaid AK\Desktop\New folder (2)\SingleInstanceApplication\SingleInstanceApplication\obj\Release\SingleInstanceApplication.pdb source: FastestVPN.exe, 00000034.00000002.3106868206.0000000004E62000.00000002.00000001.01000000.00000012.sdmp
        Source: Binary string: Microsoft.Owin.Hosting.pdbSHA256d"M! source: FastestVPN.WindowsService.exe, 0000002F.00000002.4010652534.0000000003A42000.00000002.00000001.01000000.00000034.sdmp
        Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.provider.dynamic_cdecl\obj\Release\netstandard2.0\SQLitePCLRaw.provider.dynamic_cdecl.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4047412647.000000000C282000.00000002.00000001.01000000.0000002F.sdmp, is-3DN0E.tmp.1.dr
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.OpenVpn\obj\Debug\VPN.OpenVpn.pdbRhlh ^h_CorDllMainmscoree.dll source: FastestVPN.WindowsService.exe, 0000002F.00000002.4014061839.0000000003C52000.00000002.00000001.01000000.0000004C.sdmp
        Source: Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Microsoft.AppCenter.Analytics.WindowsDesktop\Release\net472\Microsoft.AppCenter.Analytics.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4032653581.00000000065A2000.00000002.00000001.01000000.0000002B.sdmp, is-Q3SSJ.tmp.1.dr
        Source: Binary string: /_/artifacts/obj/Microsoft.AspNet.SignalR.Core/Release/net45/Microsoft.AspNet.SignalR.Core.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000001E.00000002.3013228401.0000000005312000.00000002.00000001.01000000.0000000E.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: c:\projects\projectsJ\nfsdk2_1.6\bin\release\win32\nfapi.pdb< source: nfregdrv.exe, 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmp, nfregdrv.exe, 0000001B.00000002.2548897423.0000000010019000.00000002.00000001.01000000.0000000A.sdmp
        Source: Binary string: Hardcodet.NotifyIcon.Wpf.pdbSHA256[ source: FastestVPN.exe, 00000021.00000002.4030148839.00000000062B2000.00000002.00000001.01000000.0000001F.sdmp
        Source: Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Microsoft.AppCenter.Crashes.WindowsDesktop\Release\net472\Microsoft.AppCenter.Crashes.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4032743479.00000000065B2000.00000002.00000001.01000000.0000002C.sdmp
        Source: Binary string: h:\projects\netfilter3\bin\Release\Win32\nfregdrv.pdb )0THi source: nfregdrv.exe, 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmp, nfregdrv.exe, 0000001A.00000000.2543194274.0000000000408000.00000002.00000001.01000000.00000009.sdmp, nfregdrv.exe, 0000001B.00000000.2548063602.0000000000408000.00000002.00000001.01000000.00000009.sdmp, nfregdrv.exe, 0000001B.00000002.2548485149.0000000000408000.00000002.00000001.01000000.00000009.sdmp
        Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdbSHA256x source: FastestVPN.exe, 00000021.00000002.4006176311.0000000001527000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4046582845.000000000BC82000.00000002.00000001.01000000.0000002D.sdmp
        Source: Binary string: \??\C:\Windows\FastestVPN.WindowsService.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\agent\_work\13\s\\binaries\amd64ret\bin\amd64\\vcruntime140.amd64.pdb source: is-RE19F.tmp.1.dr
        Source: Binary string: $cqEC:\Program Files\FastestVPN\Service\Microsoft.AspNet.SignalR.Core.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: C:\b\s\w\ir\cache\builder\src\out\host_release\flutter_windows.dll.pdb source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\System.ServiceProcess.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\projects\projectsJ\nfsdk2_1.6\driver_wfp\Win8\Win8Release\x64\netfilter2.pdb source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, fastestvpndriver.sys.25.dr
        Source: Binary string: tem.pdbp source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: h:\projects\netfilter3\bin\Release\Win32\nfregdrv.pdb source: nfregdrv.exe, 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmp, nfregdrv.exe, 0000001A.00000000.2543194274.0000000000408000.00000002.00000001.01000000.00000009.sdmp, nfregdrv.exe, 0000001B.00000000.2548063602.0000000000408000.00000002.00000001.01000000.00000009.sdmp, nfregdrv.exe, 0000001B.00000002.2548485149.0000000000408000.00000002.00000001.01000000.00000009.sdmp
        Source: Binary string: ntdll.pdbUGP source: ComDebug.exe, 00000030.00000002.4003301111.000001869C890000.00000004.00000800.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002937059.000001869C49E000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4003848423.000001869CA91000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: C:\Windows\System.Configuration.Install.pdbpdball.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: agar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.WindowsService\obj\Release\FastestVPN.WindowsService.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000C0D000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.Common\obj\Debug\VPN.Common.pdbH source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000001E.00000002.3012856544.0000000004F32000.00000002.00000001.01000000.0000000F.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.WireGuard\obj\Debug\VPN.WireGuard.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4014641170.0000000003CA2000.00000002.00000001.01000000.00000050.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.Data.Local\obj\Release\FastestVPN.Data.Local.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027480345.0000000005FE2000.00000002.00000001.01000000.0000001D.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection.Abstractions/Release/net462/Microsoft.Extensions.DependencyInjection.Abstractions.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4025039964.0000000005A62000.00000002.00000001.01000000.00000015.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.WindowsService\obj\Release\FastestVPN.WindowsService.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3011958094.0000000002A96000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000001E.00000000.2551119623.0000000000682000.00000002.00000001.01000000.0000000B.sdmp, is-9A2GQ.tmp.1.dr
        Source: Binary string: E:\A\_work\89\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard\System.Memory.pdbSHA256HXhZm source: FastestVPN.exe, 00000021.00000002.4047875216.000000000C2F2000.00000002.00000001.01000000.00000030.sdmp
        Source: Binary string: Microsoft.Owin.pdbSHA256 source: FastestVPN.WindowsService.exe, 0000002F.00000002.4011595996.0000000003A92000.00000002.00000001.01000000.00000035.sdmp
        Source: Binary string: mscorlib.pdb source: FastestVPN.exe, 00000021.00000002.4034278894.0000000008D06000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4006176311.0000000001527000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: $cq^/_/artifacts/obj/Microsoft.AspNet.SignalR.Core/Release/net45/Microsoft.AspNet.SignalR.Core.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.RAS\obj\Debug\VPN.RAS.pdb source: PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4014432584.0000000003C92000.00000002.00000001.01000000.0000004D.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.AspNet.SignalR.Core.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.00000000008A8000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection.Abstractions/Release/net462/Microsoft.Extensions.DependencyInjection.Abstractions.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4025039964.0000000005A62000.00000002.00000001.01000000.00000015.sdmp
        Source: Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net40\WpfAnimatedGif.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4032157107.0000000006522000.00000002.00000001.01000000.00000020.sdmp
        Source: Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Microsoft.AppCenter.WindowsDesktop\Release\net472\Microsoft.AppCenter.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4033102283.00000000067C2000.00000002.00000001.01000000.0000002A.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.ServiceProcess.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.ViewModel\obj\Release\FastestVPN.ViewModel.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027000296.0000000005F82000.00000002.00000001.01000000.00000019.sdmp
        Source: Binary string: Microsoft.Owin.Host.HttpListener.pdbSHA256-( source: FastestVPN.WindowsService.exe, 0000002F.00000002.4012036671.0000000003AC2000.00000002.00000001.01000000.00000038.sdmp
        Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\repos\main\SSH2\Release\pdbs\BvUpdateLauncher.pdb source: ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\symbols\exe\FastestVPN.WindowsService.pdbvqZ source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Microsoft.Owin.Security.pdbSHA256U source: FastestVPN.WindowsService.exe, 0000002F.00000002.4013038438.0000000003B82000.00000002.00000001.01000000.0000004A.sdmp
        Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\FastestVPN.WindowsService.pdbLl H source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.Data.Remote\obj\Release\FastestVPN.Data.Remote.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027602256.0000000005FF2000.00000002.00000001.01000000.0000001E.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.BLL\obj\Release\FastestVPN.BLL.pdbVepe be_CorDllMainmscoree.dll source: FastestVPN.exe, 00000021.00000002.4027318098.0000000005FD2000.00000002.00000001.01000000.0000001C.sdmp
        Source: Binary string: symbols\exe\FastestVPN.WindowsService.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.OpenVpn\obj\Debug\VPN.OpenVpn.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4014061839.0000000003C52000.00000002.00000001.01000000.0000004C.sdmp
        Source: Binary string: C:\Windows\System.ServiceProcess.pdbpdbess.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4025702426.0000000005BC2000.00000002.00000001.01000000.00000017.sdmp
        Source: Binary string: msvcr100.i386.pdb source: is-1EFGP.tmp.1.dr
        Source: Binary string: Microsoft.Owin.Diagnostics.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4013460664.0000000003C12000.00000002.00000001.01000000.00000048.sdmp
        Source: Binary string: System.ServiceProcess.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3011958094.0000000002A96000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdbU source: FastestVPN.exe, 00000021.00000002.4043006984.000000000B738000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection/Release/net462/Microsoft.Extensions.DependencyInjection.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4025844437.0000000005BD2000.00000002.00000001.01000000.00000016.sdmp
        Source: Binary string: System.Configuration.Install.pdbxF source: FastestVPN.WindowsService.exe, 0000001E.00000002.3011958094.0000000002A96000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.WireGuard\obj\Debug\VPN.WireGuard.pdb2;L; >;_CorDllMainmscoree.dll source: FastestVPN.WindowsService.exe, 0000002F.00000002.4014641170.0000000003CA2000.00000002.00000001.01000000.00000050.sdmp
        Source: Binary string: \??\C:\Windows\System.Configuration.Install.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: E:\nt\dnsrv\sdktools\reskit\content\subinacl\source\obj\i386\subinacl.pdbPa source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, subinacl.exe, 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, subinacl.exe, 0000002B.00000000.3029456952.0000000001001000.00000020.00000001.01000000.00000032.sdmp
        Source: Binary string: C:\Windows\Microsoft.NET\Framework\v4.0.30319\spNet.SignalR.Core.pdb561934e089\System.dll source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\projects\projectsJ\nfsdk2_1.6\driver_wfp\Win8\Win8Release\x64\netfilter2.pdb source: xcopy.exe, 00000019.00000002.2541736359.000001461D57C000.00000004.00000020.00020000.00000000.sdmp, fastestvpndriver.sys.25.dr
        Source: Binary string: D:\a\1\s\SDK\AppCenterAnalytics\Microsoft.AppCenter.Analytics.WindowsDesktop\obj\Microsoft.AppCenter.Analytics.WindowsDesktop\Release\net472\Microsoft.AppCenter.Analytics.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4032653581.00000000065A2000.00000002.00000001.01000000.0000002B.sdmp, is-Q3SSJ.tmp.1.dr
        Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Threading.Tasks.Extensions\netfx\System.Threading.Tasks.Extensions.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4026147118.0000000005BF2000.00000002.00000001.01000000.00000018.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.Diagnostics\obj\Release\FastestVPN.Diagnostics.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4026760772.0000000005F52000.00000002.00000001.01000000.0000001B.sdmp
        Source: Binary string: c:\projects\projectsJ\nfsdk2_1.6\bin\release\win32\nfapi.pdb source: nfregdrv.exe, 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmp, nfregdrv.exe, 0000001B.00000002.2548897423.0000000010019000.00000002.00000001.01000000.0000000A.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.Bcl.AsyncInterfaces/Release/net462/Microsoft.Bcl.AsyncInterfaces.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4025702426.0000000005BC2000.00000002.00000001.01000000.00000017.sdmp
        Source: Binary string: c:\Users\lodejard\Projects\owin-hosting\src\main\Owin.Startup\obj\Release\Owin.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4010427946.0000000003A22000.00000002.00000001.01000000.00000036.sdmp
        Source: Binary string: Microsoft.Owin.Hosting.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4010652534.0000000003A42000.00000002.00000001.01000000.00000034.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.DependencyInjection\obj\Release\FastestVPN.DI.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4024820735.0000000005A52000.00000002.00000001.01000000.00000014.sdmp
        Source: Binary string: D:\a\1\s\SDK\AppCenterCrashes\Microsoft.AppCenter.Crashes.WindowsDesktop\obj\Microsoft.AppCenter.Crashes.WindowsDesktop\Release\net472\Microsoft.AppCenter.Crashes.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4032743479.00000000065B2000.00000002.00000001.01000000.0000002C.sdmp
        Source: Binary string: /_/artifacts/obj/Microsoft.Extensions.DependencyInjection/Release/net462/Microsoft.Extensions.DependencyInjection.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4025844437.0000000005BD2000.00000002.00000001.01000000.00000016.sdmp
        Source: Binary string: c:\Users\Junaid AK\Desktop\New folder (2)\SingleInstanceApplication\SingleInstanceApplication\obj\Release\SingleInstanceApplication.pdb@:^: P:_CorDllMainmscoree.dll source: FastestVPN.exe, 00000034.00000002.3106868206.0000000004E62000.00000002.00000001.01000000.00000012.sdmp
        Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4014983868.0000000003D02000.00000002.00000001.01000000.0000004E.sdmp
        Source: Binary string: E:\A\_work\89\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Memory\netstandard\System.Memory.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4047875216.000000000C2F2000.00000002.00000001.01000000.00000030.sdmp
        Source: Binary string: C:\projects\wpfanimatedgif\WpfAnimatedGif\obj\Release\net40\WpfAnimatedGif.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4032157107.0000000006522000.00000002.00000001.01000000.00000020.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.BLL\obj\Release\FastestVPN.BLL.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027318098.0000000005FD2000.00000002.00000001.01000000.0000001C.sdmp
        Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.bundle_green\obj\Release\net461\SQLitePCLRaw.batteries_v2.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4006176311.0000000001527000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4046582845.000000000BC82000.00000002.00000001.01000000.0000002D.sdmp
        Source: Binary string: Microsoft.Owin.Security.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4013038438.0000000003B82000.00000002.00000001.01000000.0000004A.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.Common\obj\Release\FastestVPN.Common.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4009855225.0000000003722000.00000002.00000001.01000000.00000033.sdmp
        Source: Binary string: $cq!Microsoft.AspNet.SignalR.Core.pdb`,cq)"<>| source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp
        Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4014983868.0000000003D02000.00000002.00000001.01000000.0000004E.sdmp
        Source: Binary string: D:\VPN core\FastestVPN-Windows-Core\VPN.AdvancedNetwork\obj\Debug\VPN.AdvancedNetwork.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4013290724.0000000003BA2000.00000002.00000001.01000000.0000004F.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN\obj\Release\FastestVPN.pdb source: FastestVPN.exe, 00000021.00000000.2556167856.0000000000CCD000.00000002.00000001.01000000.00000010.sdmp
        Source: Binary string: c:\projects\projectsj\nfsdk2_1.6\driver_wfp\std\objfre_win7_x86\i386\netfilter2.pdb source: is-5LPUL.tmp.1.dr
        Source: Binary string: System.pdb source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Microsoft.Owin.Host.HttpListener.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4012036671.0000000003AC2000.00000002.00000001.01000000.00000038.sdmp
        Source: Binary string: D:\a\1\s\SDK\AppCenter\Microsoft.AppCenter.WindowsDesktop\obj\Microsoft.AppCenter.WindowsDesktop\Release\net472\Microsoft.AppCenter.pdbSHA256 source: FastestVPN.exe, 00000021.00000002.4033102283.00000000067C2000.00000002.00000001.01000000.0000002A.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.Data.Remote\obj\Release\FastestVPN.Data.Remote.pdbb^|^ n^_CorDllMainmscoree.dll source: FastestVPN.exe, 00000021.00000002.4027602256.0000000005FF2000.00000002.00000001.01000000.0000001E.sdmp
        Source: Binary string: D:\Sagar Work FastestVPN\FastestVPN-Windows-App\FastestVPN.DependencyInjection\obj\Release\FastestVPN.DI.pdbY6s6 e6_CorDllMainmscoree.dll source: FastestVPN.exe, 00000021.00000002.4024820735.0000000005A52000.00000002.00000001.01000000.00000014.sdmp
        Source: Binary string: \??\C:\Windows\exe\FastestVPN.WindowsService.pdb3 source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: FastestVPN.exe, 00000021.00000002.4043006984.000000000B738000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: C:\users\vagrant\buildbot\windows-server-2019-static-msbuild\openvpn\x64-Output\Release\openvpn.pdb source: is-164FL.tmp.1.dr
        Source: Binary string: C:\Users\samuli\source\repos\tap-windows6\src\x64\Release\tap0901.pdb source: drvinst.exe, 0000000E.00000003.2501420084.000001F40B804000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.2495027565.000001F40B75E000.00000004.00000020.00020000.00000000.sdmp, drvinst.exe, 0000000E.00000003.2501048553.000001F40B803000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: ntdll.pdb source: ComDebug.exe, 00000030.00000002.4003301111.000001869C890000.00000004.00000800.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4002937059.000001869C49E000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000002.4003848423.000001869CA91000.00000004.00000001.00020000.00000000.sdmp
        Source: Binary string: D:\a\SQLitePCL.raw\SQLitePCL.raw\SQLitePCL.raw\src\SQLitePCLRaw.core\obj\Release\netstandard2.0\SQLitePCLRaw.core.pdbSHA256Ci\ source: FastestVPN.exe, 00000021.00000002.4006176311.0000000001527000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4047258906.000000000C262000.00000002.00000001.01000000.0000002E.sdmp
        Source: Binary string: Microsoft.Owin.pdb source: FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000002F.00000002.4011595996.0000000003A92000.00000002.00000001.01000000.00000035.sdmp
        Source: Binary string: \??\C:\Windows\dll\System.Configuration.Install.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: mC:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.pdby source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: Windows\dll\mscorlib.pdb}Wl source: FastestVPN.exe, 00000021.00000002.4042897141.000000000B729000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: m.pdb source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009656553.0000000000AF9000.00000004.00000010.00020000.00000000.sdmp
        Source: Binary string: \??\C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.PDB*H( source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BE3000.00000004.00000020.00020000.00000000.sdmp
        Source: Binary string: Hardcodet.NotifyIcon.Wpf.pdb source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4030148839.00000000062B2000.00000002.00000001.01000000.0000001F.sdmp
        Source: Binary string: \??\C:\Windows\symbols\exe\FastestVPN.WindowsService.pdb00 source: FastestVPN.WindowsService.exe, 0000001E.00000002.3009840972.0000000000BB2000.00000004.00000020.00020000.00000000.sdmp

        Data Obfuscation

        barindex
        Suspicious powershell command line found
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
        Source: is-36FVS.tmp.1.drStatic PE information: 0xAB462008 [Fri Jan 21 02:20:56 2061 UTC]
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C434B0 GetFullPathNameW,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,FreeLibrary,FreeLibrary,10_2_00007FF798C434B0
        Source: PVUfopbGfc.exeStatic PE information: section name: .didata
        Source: PVUfopbGfc.tmp.0.drStatic PE information: section name: .didata
        Source: is-H7LPP.tmp.1.drStatic PE information: section name: _RDATA
        Source: is-9JV4C.tmp.1.drStatic PE information: section name: .didata
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C8C576 push rsi; ret 10_2_00007FF798C8C579
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C8C52C push rsp; retn 0004h10_2_00007FF798C8C52D
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_004028FD push ecx; ret 26_2_00402910
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_1000A089 push ecx; ret 26_2_1000A09C
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F358C0 push ds; retf 30_2_04F358D0
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F35547 push cs; retf 30_2_04F35552
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F358B1 push ds; retf 30_2_04F358B2
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F35530 push cs; retf 30_2_04F35546
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F35734 push ss; retf 30_2_04F35738
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F358B4 push ds; retf 30_2_04F358B8
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F35739 push ss; retf 30_2_04F3573E
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F354A6 push cs; retf 30_2_04F35546
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F35529 push cs; retf 30_2_04F3552E
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F35729 push ss; retf 30_2_04F3572C
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F3572F push ss; retf 30_2_04F35732
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeCode function: 30_2_04F3569F push ss; retf 30_2_04F3573E
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05A6437F push es; retf 33_2_05A6445C
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05A6435D push es; retf 33_2_05A6437E
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05BDAD3F push cs; ret 33_2_05BDADBC
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05BDAF10 push cs; retf 33_2_05BDAF1A
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05BDAF04 push cs; retf 33_2_05BDAF0E
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05BDAEF2 push cs; retf 33_2_05BDAEF6
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05BD79DF push es; retf 33_2_05BD7A7E
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05BD82C7 push ss; ret 33_2_05BD82CA
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05BDADC0 push cs; ret 33_2_05BDAE10
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05F82FE2 push es; ret 33_2_05F83585
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_05F83564 push es; ret 33_2_05F83585
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_065B5883 push cs; ret 33_2_065B58CC
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C287F11 push cs; ret 33_2_0C287F12
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C2856FA push ss; iretd 33_2_0C285702
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_0C2F5A5F push 00000028h; retf 0000h33_2_0C2F5A62
        Source: is-DP0EK.tmp.1.drStatic PE information: section name: .text entropy: 7.662424467871785

        Persistence and Installation Behavior

        barindex
        Uses cmd line tools excessively to alter registry or file data
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exe
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: reg.exeJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\tapinstall.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-STPBV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-0QPA2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-K8EEM.tmpJump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeFile created: C:\Users\user\AppData\Roaming\linkinfo\window_size_plugin.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Microsoft.Extensions.DependencyInjection.Abstractions.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-SEDKF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\file_selector_windows_plugin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-28E9M.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-N1V1C.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-KM19Q.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\libssl-1_1-x64.dll (copy)Jump to dropped file
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SET586.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\iphelperclose.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Microsoft.AppCenter.Crashes.dll (copy)Jump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeFile created: C:\Users\user\AppData\Roaming\linkinfo\flutter_windows.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-ESVSH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-HV7DI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\iphelperclose.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\flutter_gpu_texture_renderer_plugin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Hosting.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-KR8E2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\nfapi.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-TM4NE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\i386\fastestvpndriver.sys (copy)Jump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeFile created: C:\Users\user\AppData\Roaming\linkinfo\window_manager_plugin.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-6VF2K.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\subinacl.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-G1K0R.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\libssl32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\openvpnserv.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-9CU0N.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-8PJAJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\tapinstall.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\FastestVPN.Data.Remote.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\openssl.exe (copy)Jump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeFile created: C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\SQLitePCLRaw.batteries_v2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\sp\release\nfapi.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-DN2OR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-RV0DT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Microsoft.AppCenter.Analytics.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\subinacl.exe (copy)Jump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeFile created: C:\Users\user\AppData\Roaming\linkinfo\desktop_multi_window_plugin.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-K6RGO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-DJ6NL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\i386\is-0T1HF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-MVU9I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\liblzo2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-L35S6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-UCN4E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\System.Threading.Tasks.Extensions.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\System.Memory.dll (copy)Jump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeFile created: C:\Users\user\AppData\Roaming\linkinfo\desktop_drop_plugin.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-84KDK.tmpJump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeFile created: C:\Users\user\AppData\Roaming\linkinfo\url_launcher_windows_plugin.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\amd64\is-A14JT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-JCMQP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\ComDebug.exe (copy)Jump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeFile created: C:\Users\user\AppData\Roaming\linkinfo\texture_rgba_renderer_plugin.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-16JBJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-VIT86.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-UCOLB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-SAAPO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-C2DGA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\VPN.RAS.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-INOQ4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\BouncyCastle.Crypto.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Microsoft.AspNet.SignalR.Client.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-PN3F9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-7ND37.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\FastestVPN.BLL.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-PA9AI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\fix-dns-leak-32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-56J26.tmpJump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeFile created: C:\Users\user\AppData\Roaming\linkinfo\uni_links_desktop_plugin.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\vcruntime140.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Diagnostics.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-G27S6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-7NCSV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\openvpn.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-N8COH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\VPN.RAS.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-FACJA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\sp\release\is-7K05F.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Microsoft.AppCenter.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-3DN0E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-F4TDL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\VPN.OpenVpn.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Users\user\AppData\Local\Temp\is-EKRPK.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-H7LPP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\amd64\is-59VFL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\amd64\fastestvpndriver.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Flurl.Http.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Newtonsoft.Json.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Security.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-164FL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-DP0EK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-H78VV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\FastestVPN.ViewModel.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\texture_rgba_renderer_plugin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-HFF22.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\Newtonsoft.Json.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-J64KK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\VPN.Common.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\fix-dns-leak-32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-0UVIJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-Q6LK1.tmpJump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeFile created: C:\Users\user\AppData\Roaming\linkinfo\flutter_custom_cursor_plugin.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-7F3NE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-BPNEB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\VPN.WireGuard.dll (copy)Jump to dropped file
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-6DFPP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-6NKFQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-8JVLF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\window_manager_plugin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Updater.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\SQLitePCLRaw.core.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Cors.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Hardcodet.NotifyIcon.Wpf.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-B80D1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\tapinstallWin64.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\VPN.AdvancedNetwork.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\flutter_custom_cursor_plugin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-VG3QN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-942TQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\Microsoft.AspNet.SignalR.Core.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\VPN.AdvancedNetwork.dll (copy)Jump to dropped file
        Source: C:\Users\user\Desktop\PVUfopbGfc.exeFile created: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\tapinstall.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\Owin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\uni_links_desktop_plugin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\wireguard.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-8LP97.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\Microsoft.Owin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\FastestVPN.Data.Local.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-Q54OD.tmpJump to dropped file
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\SETFBE4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Flurl.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-8LAO7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\System.Buffers.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-DEAN7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\VPN.Common.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-O850J.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\flutter_windows.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-FJOGB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-08UCO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-QT2D6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\SingleInstanceApplication.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-36FVS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\System.Web.Cors.dll (copy)Jump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeFile created: C:\Users\user\AppData\Roaming\linkinfo\flutter_gpu_texture_renderer_plugin.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-MSFM2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\ssleay32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\nfapi.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-O73C0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-VPRG9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-9A2GQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\devcon.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-08KKK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-RE19F.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\FastestVPN.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\openvpnserv2.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\VPN.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\sp\release\is-187AR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-T26NQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-SGO7U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\desktop_drop_plugin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\VPN.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-L7KIN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\tapctl.exe (copy)Jump to dropped file
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\SQLitePCLRaw.provider.dynamic_cdecl.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\FastestVPN.Common.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Microsoft.Bcl.AsyncInterfaces.dll (copy)Jump to dropped file
        Source: C:\Windows\System32\xcopy.exeFile created: C:\Windows\System32\drivers\fastestvpndriver.sysJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-QRV6K.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-7ILAT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-VFSD2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-A12DA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\amd64\fastestvpndriver.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-28BDQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-7E4EB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-L76N9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\msvcr100.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\WpfAnimatedGif.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-T0PEK.tmpJump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeFile created: C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\SETF8E6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-KPJ2D.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-4DL4Q.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\i386\is-5LPUL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\screen_retriever_plugin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-6P3FR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\tapinstall.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\VPN.OpenVpn.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-3J4SO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\libeay32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-54TNI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-0C2FG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\libcrypto-1_1-x64.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Host.HttpListener.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\libpkcs11-helper-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-9JV4C.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Microsoft.Extensions.DependencyInjection.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\desktop_multi_window_plugin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\FastestVPN.Common.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-2E77U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-BOM98.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-83O8B.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-HLUIP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-1EFGP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\tapinstallWin32.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\url_launcher_windows_plugin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\FastestVPN.Diagnostics.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-20AM3.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-Q3SSJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\is-FKERI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-UPKPF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\window_size_plugin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-BL4HS.tmpJump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeFile created: C:\Users\user\AppData\Roaming\linkinfo\file_selector_windows_plugin.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-93OID.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\System.Numerics.Vectors.dll (copy)Jump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeFile created: C:\Users\user\AppData\Roaming\linkinfo\screen_retriever_plugin.dllJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-U2LBU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\VPN.WireGuard.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-QQCFD.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\System.Runtime.CompilerServices.Unsafe.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\i386\fastestvpndriver.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Service\is-4N4RA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\Resources\is-9JICR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Program Files\FastestVPN\FastestVPN.DI.dll (copy)Jump to dropped file
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\tap0901.sys (copy)Jump to dropped file
        Source: C:\Windows\System32\xcopy.exeFile created: C:\Windows\System32\drivers\fastestvpndriver.sysJump to dropped file
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\tap0901.sys (copy)Jump to dropped file
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\SETFBE4.tmpJump to dropped file
        Source: C:\Windows\System32\drvinst.exeFile created: C:\Windows\System32\drivers\SET586.tmpJump to dropped file
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeFile created: C:\Program Files\FastestVPN\Service\InstallUtil.InstallLog
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeFile created: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.InstallLog
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FastestVPN.lnkJump to behavior
        Source: C:\Windows\System32\drvinst.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tap0901Jump to behavior
        Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\LinkageJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastestVPNJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastestVPN\FastestVPN.lnkJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastestVPN\Uninstall FastestVPN.lnkJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FastestVPN.lnkJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_10013540 OpenSCManagerA,CreateServiceW,CloseServiceHandle,GetLastError,GetLastError,OpenServiceA,QueryServiceStatus,StartServiceA,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,SetLastError,26_2_10013540
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop fastestvpndriver
        Source: C:\Program Files\FastestVPN\FastestVPN.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
        Source: C:\Program Files\FastestVPN\FastestVPN.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
        Source: C:\Users\user\Desktop\PVUfopbGfc.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\drvinst.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\subinacl.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\subinacl.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess information set: NOOPENFILEERRORBOX

        Malware Analysis System Evasion

        barindex
        Queries sensitive system registry key value via command line tool
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg Query "HKLM\Hardware\Description\System\CentralProcessor\0"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg Query "HKLM\Hardware\Description\System\CentralProcessor\0"
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" Jump to behavior
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeMemory allocated: EE0000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeMemory allocated: 2A10000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeMemory allocated: 1040000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\FastestVPN.exeMemory allocated: 1340000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\FastestVPN.exeMemory allocated: 3010000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\FastestVPN.exeMemory allocated: 5010000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeMemory allocated: 25C0000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeMemory allocated: 2720000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeMemory allocated: 4720000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeMemory allocated: DA0000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeMemory allocated: F70000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeMemory allocated: DA0000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\FastestVPN.exeMemory allocated: D00000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\FastestVPN.exeMemory allocated: 2A20000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\FastestVPN.exeMemory allocated: 1070000 memory reserve | memory write watch
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C44820 SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDeviceRegistryPropertyW,10_2_00007FF798C44820
        Source: C:\Program Files\FastestVPN\FastestVPN.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files\FastestVPN\FastestVPN.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files\FastestVPN\FastestVPN.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files\FastestVPN\FastestVPN.exeWindow / User API: threadDelayed 3445
        Source: C:\Program Files\FastestVPN\FastestVPN.exeWindow / User API: threadDelayed 2355
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3488
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeWindow / User API: threadDelayed 369
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\tapinstall.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-STPBV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-0QPA2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-K8EEM.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Microsoft.Extensions.DependencyInjection.Abstractions.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-SEDKF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-28E9M.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-N1V1C.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-KM19Q.tmpJump to dropped file
        Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\drivers\SET586.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\libssl-1_1-x64.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\iphelperclose.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-ESVSH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\iphelperclose.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-HV7DI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Hosting.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-KR8E2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-TM4NE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\i386\fastestvpndriver.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-6VF2K.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-G1K0R.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\libssl32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\unins000.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\openvpnserv.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-9CU0N.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\tapinstall.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-8PJAJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\FastestVPN.Data.Remote.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\openssl.exe (copy)Jump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\SQLitePCLRaw.batteries_v2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-DN2OR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-RV0DT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Microsoft.AppCenter.Analytics.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\subinacl.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-K6RGO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-DJ6NL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\i386\is-0T1HF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\liblzo2-2.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-MVU9I.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-L35S6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\System.Threading.Tasks.Extensions.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-UCN4E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\System.Memory.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-84KDK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-JCMQP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\amd64\is-A14JT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-16JBJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-VIT86.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-UCOLB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-SAAPO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-C2DGA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\VPN.RAS.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-INOQ4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\BouncyCastle.Crypto.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Microsoft.AspNet.SignalR.Client.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-PN3F9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-7ND37.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\FastestVPN.BLL.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\fix-dns-leak-32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-PA9AI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-56J26.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\vcruntime140.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Diagnostics.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-G27S6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-7NCSV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\openvpn.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-N8COH.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\VPN.RAS.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-FACJA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\sp\release\is-7K05F.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Microsoft.AppCenter.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-3DN0E.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-F4TDL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-EKRPK.tmp\_isetup\_setup64.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\VPN.OpenVpn.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\amd64\is-59VFL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\sp\driver\windows8\amd64\fastestvpndriver.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Flurl.Http.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Newtonsoft.Json.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Security.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-164FL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-H78VV.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\FastestVPN.ViewModel.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\Newtonsoft.Json.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-HFF22.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-J64KK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\VPN.Common.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\fix-dns-leak-32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-Q6LK1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-0UVIJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-7F3NE.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\VPN.WireGuard.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-BPNEB.tmpJump to dropped file
        Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\drivers\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-6DFPP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-6NKFQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-8JVLF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Updater.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\SQLitePCLRaw.core.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Cors.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Hardcodet.NotifyIcon.Wpf.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-B80D1.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\tapinstallWin64.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\VPN.AdvancedNetwork.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-VG3QN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-942TQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\Microsoft.AspNet.SignalR.Core.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\VPN.AdvancedNetwork.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\Owin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\tapinstall.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\wireguard.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-8LP97.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\Microsoft.Owin.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\FastestVPN.Data.Local.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-Q54OD.tmpJump to dropped file
        Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\SETFBE4.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Flurl.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\System.Buffers.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-8LAO7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-DEAN7.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\VPN.Common.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-O850J.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-FJOGB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-08UCO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-QT2D6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\SingleInstanceApplication.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\System.Web.Cors.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-36FVS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-MSFM2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\ssleay32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-O73C0.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-VPRG9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows\i386\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\devcon.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-08KKK.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-RE19F.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\openvpnserv2.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\VPN.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-T26NQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-SGO7U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\VPN.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-L7KIN.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\tapctl.exe (copy)Jump to dropped file
        Source: C:\Windows\System32\drvinst.exeDropped PE file which has not been started: C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\SQLitePCLRaw.provider.dynamic_cdecl.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tap0901.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\FastestVPN.Common.dll (copy)Jump to dropped file
        Source: C:\Windows\System32\xcopy.exeDropped PE file which has not been started: C:\Windows\System32\drivers\fastestvpndriver.sysJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-QRV6K.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-7ILAT.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-VFSD2.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-A12DA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\amd64\fastestvpndriver.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-28BDQ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-7E4EB.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-L76N9.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\msvcr100.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\WpfAnimatedGif.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-T0PEK.tmpJump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\SETF8E6.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-KPJ2D.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-4DL4Q.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\i386\is-5LPUL.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\VPN.OpenVpn.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows\i386\tapinstall.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\libeay32.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-3J4SO.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-0C2FG.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\libcrypto-1_1-x64.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Host.HttpListener.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\libpkcs11-helper-1.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-9JV4C.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Microsoft.Extensions.DependencyInjection.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\FastestVPN.Common.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-2E77U.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-BOM98.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-83O8B.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-HLUIP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-1EFGP.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\tapinstallWin32.exe (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\FastestVPN.Diagnostics.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-20AM3.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-Q3SSJ.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\is-FKERI.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-UPKPF.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-BL4HS.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\System.Numerics.Vectors.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-93OID.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\VPN.WireGuard.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-U2LBU.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-QQCFD.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\System.Runtime.CompilerServices.Unsafe.dll (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\sp\driver\windows7\i386\fastestvpndriver.sys (copy)Jump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Service\is-4N4RA.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\Resources\is-9JICR.tmpJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpDropped PE file which has not been started: C:\Program Files\FastestVPN\FastestVPN.DI.dll (copy)Jump to dropped file
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeAPI coverage: 6.2 %
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeAPI coverage: 3.4 %
        Source: C:\Program Files\FastestVPN\FastestVPN.exe TID: 4308Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files\FastestVPN\FastestVPN.exe TID: 1372Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7128Thread sleep count: 3488 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4956Thread sleep count: 119 > 30
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6976Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6128Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 4616Thread sleep time: -30000s >= -30000s
        Source: C:\Windows\System32\svchost.exe TID: 4616Thread sleep time: -30000s >= -30000s
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe TID: 2128Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe TID: 3552Thread sleep count: 369 > 30
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe TID: 3552Thread sleep count: 173 > 30
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exe TID: 3220Thread sleep time: -180000s >= -30000s
        Source: C:\Program Files\FastestVPN\FastestVPN.exe TID: 5988Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Program Files\FastestVPN\FastestVPN.exe TID: 764Thread sleep time: -922337203685477s >= -30000s
        Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0
        Source: C:\Windows\System32\drvinst.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystemProduct
        Source: C:\Program Files\FastestVPN\FastestVPN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Program Files\FastestVPN\FastestVPN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Program Files\FastestVPN\FastestVPN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Program Files\FastestVPN\FastestVPN.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystemProduct
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7E0B0 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,10_2_00007FF798C7E0B0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C43630 GetWindowsDirectoryW,FindFirstFileW,FindNextFileW,FindClose,10_2_00007FF798C43630
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7ECAC FindFirstFileExW,FindNextFileW,FindClose,10_2_00007FF798C7ECAC
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7E0B0 _invalid_parameter_noinfo,_invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,FindClose,10_2_00007FF798C7E0B0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7E810 FindFirstFileExW,10_2_00007FF798C7E810
        Source: C:\Program Files\FastestVPN\subinacl.exeCode function: 43_2_0103172D __EH_prolog,#540,#922,#858,#800,#2910,wcslen,#2910,wcslen,#823,GetLastError,_CxxThrowException,#2910,#2910,swprintf,FindFirstFileW,GetLastError,#825,#2910,FindFirstFileW,wcscmp,wcscmp,wcscmp,#535,#942,#942,#535,#942,#942,#800,FindNextFileW,FindClose,#800,43_2_0103172D
        Source: C:\Program Files\FastestVPN\subinacl.exeCode function: 43_2_01031DDF __EH_prolog,#540,#925,#858,#800,#2910,wcslen,wcslen,#2910,wcslen,#823,GetLastError,_CxxThrowException,#2910,#2910,swprintf,FindFirstFileW,GetLastError,#825,#2910,FindFirstFileW,wcscmp,wcscmp,#540,#538,#922,#925,#858,#800,#800,#800,#925,#800,#858,#800,FindNextFileW,FindClose,#800,43_2_01031DDF
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6CE330 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose,48_2_00007FF6DB6CE330
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8538F90 FindFirstFileExW,48_2_00007FF8A8538F90
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_100163B0 GetLogicalDriveStringsW,QueryDosDeviceW,GetDriveTypeW,EnterCriticalSection,LeaveCriticalSection,26_2_100163B0
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_100013F0 ResetEvent,GetSystemInfo,26_2_100013F0
        Source: C:\Program Files\FastestVPN\FastestVPN.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files\FastestVPN\FastestVPN.exeThread delayed: delay time: 922337203685477
        Source: C:\Program Files\FastestVPN\FastestVPN.exeThread delayed: delay time: 922337203685477
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\Jump to behavior
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Program Files\FastestVPN\Jump to behavior
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Program Files\FastestVPN\Resources\Jump to behavior
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Program Files\FastestVPN\Resources\driver\windows10\Jump to behavior
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64Jump to behavior
        Source: C:\Windows\System32\cmd.exeFile opened: C:\Program Files\FastestVPN\Resources\driver\Jump to behavior
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpBinary or memory string: (IsLinux() && isVMWare) || (IsAndroid() && isNvidia) || (IsAndroid() && GetAndroidSdkLevel() < 27 && IsAdreno5xxOrOlder(functions)) || (!isMesa && IsMaliT8xxOrOlder(functions)) || (!isMesa && IsMaliG31OrOlder(functions))
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpBinary or memory string: VMware
        Source: FastestVPN.exe, 00000034.00000002.3102862692.0000000000DA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllX
        Source: ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: noreply@vmware.com0
        Source: ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0
        Source: powershell.exe, 00000024.00000002.2687015104.0000000002939000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
        Source: ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1!0
        Source: svchost.exe, 00000010.00000003.2524163708.00000251E8D17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *@ethernetwlanppipvmnetextensionEB}
        Source: powershell.exe, 00000024.00000002.2687015104.0000000002939000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System ProductT3U8Y92ED92742-89DC-DD72-92E8-869FA5A66493VMware, Inc.Noney*
        Source: svchost.exe, 00000023.00000002.4004637528.0000023FDB859000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: NXTVMWare
        Source: FastestVPN.exe, 00000021.00000002.4034278894.0000000008CD8000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4042159195.000000000B690000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003437790.0000023FDAAD5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpBinary or memory string: IIBroadcomGoogleMesaMicrosoftSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTest
        Source: ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: http://www.vmware.com/0/
        Source: PVUfopbGfc.tmp, 00000001.00000003.3116184671.0000000003446000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\f
        Source: ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.1
        Source: FastestVPN.exe, 00000021.00000002.4006176311.00000000014D6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWH
        Source: ComDebug.exe, 00000030.00000002.4002487073.000001869C3AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.0
        Source: PVUfopbGfc.tmp, 00000001.00000003.3116184671.0000000003446000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}wo?
        Source: svchost.exe, 00000010.00000003.2523375580.00000251E8D1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: @vmnetextension
        Source: powershell.exe, 00000024.00000002.2697436504.0000000007226000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: stringComputer System ProductComputer System ProductT3U8Y92ED92742-89DC-DD72-92E8-869FA5A66493VMware, Inc.None##5
        Source: svchost.exe, 00000023.00000002.4002841592.0000023FDAA46000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW@
        Source: FastestVPN.WindowsService.exe, 0000002F.00000002.4002904466.0000000000806000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpBinary or memory string: zJVSk/BwJVmcIGfE7vmLV2H0knZ9P4SNVbfo5azV8fUZVqZa+5Acr5Pr5RzUZ5dd
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpProcess information queried: ProcessInformationJump to behavior
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess queried: DebugPort
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeProcess queried: DebugPort
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C7D9C4 IsDebuggerPresent,OutputDebugStringW,10_2_00007FF798C7D9C4
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C434B0 GetFullPathNameW,LoadLibraryW,GetProcAddress,GetLastError,GetLastError,FreeLibrary,FreeLibrary,10_2_00007FF798C434B0
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C857E0 GetProcessHeap,10_2_00007FF798C857E0
        Source: C:\Program Files\FastestVPN\subinacl.exeProcess token adjusted: Debug
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C47B18 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_00007FF798C47B18
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C48550 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00007FF798C48550
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C76788 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00007FF798C76788
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C48738 SetUnhandledExceptionFilter,10_2_00007FF798C48738
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_004054F3 _raise,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_004054F3
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_0040148B SetUnhandledExceptionFilter,26_2_0040148B
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_0040134A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_0040134A
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_00402D4D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_00402D4D
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_100081EF _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_100081EF
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_1000B228 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,26_2_1000B228
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_10007CCF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,26_2_10007CCF
        Source: C:\Program Files\FastestVPN\subinacl.exeCode function: 43_2_0103DEE7 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,43_2_0103DEE7
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6BC388 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_00007FF6DB6BC388
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6C1278 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_00007FF6DB6C1278
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6BC0D4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,48_2_00007FF6DB6BC0D4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF6DB6BC568 SetUnhandledExceptionFilter,48_2_00007FF6DB6BC568
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A841A5E4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,48_2_00007FF8A841A5E4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A841F728 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_00007FF8A841F728
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84B3F30 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,48_2_00007FF8A84B3F30
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A84B8F18 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_00007FF8A84B8F18
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8523AC0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_00007FF8A8523AC0
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8523724 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,48_2_00007FF8A8523724
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A85288C8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,48_2_00007FF8A85288C8
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeMemory allocated: page read and write | page guard

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Found direct / indirect Syscall (likely to bypass EDR)
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeNtQuerySystemInformation: Direct from: 0x78DF57E319
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeNtQuerySystemInformation: Direct from: 0x18600000000
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeNtAllocateVirtualMemory: Direct from: 0x1869A171740
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeNtQueryAttributesFile: Direct from: 0x7FF8C7A1540E
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeNtProtectVirtualMemory: Direct from: 0x100000
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeNtCreateNamedPipeFile: Direct from: 0x7FF8C88ED570
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeNtProtectVirtualMemory: Direct from: 0x1869A17348C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeNtProtectVirtualMemory: Direct from: 0x7FF8C88A26A1
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeNtAllocateVirtualMemory: Direct from: 0x7FF810010011
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeNtProtectVirtualMemory: Direct from: 0x7FF8C6F50000
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeNtQueryValueKey: Direct from: 0x7FF800000061
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeNtProtectVirtualMemory: Direct from: 0x7FF8C6F74B60
        Source: C:\Program Files\FastestVPN\subinacl.exeCode function: 43_2_010383F6 __EH_prolog,#540,#538,#540,#540,#538,#2910,#861,#4197,#2755,#2910,#800,#800,#800,#800,#800,#2910,#2910,#2910,#2910,#2910,#2910,#2910,#2910,#2910,#2910,#2910,#4124,#858,#800,#2910,#2910,#2910,#2755,#4272,#858,#800,#4197,#6563,#2910,#2755,#4272,#858,#800,#4197,#6563,#2910,#2755,#4272,#858,#800,#2910,#2910,#2910,#2910,#2910,#2910,#2910,#2756,#2910,swscanf,#2910,#2910,#2910,#2910,#2755,#4272,#858,#800,#825,#4199,#2910,ConvertStringSecurityDescriptorToSecurityDescriptorW,GetLastError,GetSecurityDescriptorLength,#823,GetLastError,#2910,#2910,LocalFree,LocalFree,GetLastError,#2910,#2910,#2910,#2755,#4272,#858,#800,#2910,_wtoi,#2910,#2755,#4272,#858,#800,#858,GetLastError,#2910,#2910,#2910,#2910,#2910,#2755,#4272,#858,#800,#6278,#6279,wcscmp,#2910,swscanf,#2910,#2910,#2910,#2910,#2910,#2910,#2910,#2910,#2910,#2910,#2910,#2910,#2755,#4272,#858,#800,#540,#540,#2755,#858,#861,#4272,#858,#800,#4124,#858,#800,#2910,wcscmp,#2910,#2910,LogonUserW,GetLastError,#2910,#2910,#800,#800,#800,#800,#2910,#2755,#4272,#858,#800,#858,#861,#861,GetLastError,#2910,#2910,#2910,#2755,#4272,#858,#800,#2755,#538,#4272,#858,#800,#4124,#858,#800,#2910,#2910,#858,GetLastError,#2910,#2910,#2910,#2755,#4272,#858,#800,#2755,#4272,#4124,#858,#800,#4197,#2910,#2910,#2910,#2910,#2910,#800,#537,#800,GetComputerNameW,#861,#927,#858,#800,#538,#922,#800,#800,#2910,#2910,#2910,#2910,#800,#2910,wcsncpy,#861,#861,#800,#2910,#2910,#2910,#2755,#4272,#858,#800,#2756,#2756,#2756,#2756,#2910,#2755,#4272,#858,#800,#5679,#861,#4273,#858,#800,#858,#941,#2910,#2755,#4272,#858,#800,#538,#925,#800,#2910,#2755,#4272,#858,#800,#2755,#4124,#858,#800,#4272,#858,#800,#2755,#540,#4272,#858,#800,#4124,#858,#800,#2756,#2756,#4124,#858,#800,#2910,#2910,wcscmp,GetComputerNameW,#861,#927,#858,#800,#538,#922,#800,#800,#2910,#2910,#2910,#2910,#2910,#800,#800,GetLastError,#2910,#2910,#2910,wcsncpy,wcsncpy,#2910,wcsncpy,#800,#800,#2755,#4272,#858,#800,#2755,#4124,#858,#800,#4272,#858,#800,#2910,#858,GetLastError,#2910,#2910,#858,GetLastError,#2910,#2910,#2910,#2910,#2910,#2755,#4272,#858,#800,#2755,#858,#861,#4124,#858,#800,#4272,#858,#800,#2910,#2910,#2910,#858,GetLastError,#2910,#2910,#2755,#4124,#858,#800,wcsncpy,#2910,GetLengthSid,GetLengthSid,#2910,#2910,#2910,#2755,#4272,#858,#800,#2756,#4124,#858,#800,#6278,#6279,#4272,#858,#800,GetLastError,#2910,#2910,#2910,swscanf,#2910,GetLengthSid,GetLengthSid,GetLengthSid,#2755,#4272,#858,#800,#858,GetLastError,#2910,#2755,#4272,#858,#800,#858,GetLastError,#2910,43_2_010383F6
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "x86" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c verJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe tapinstall.exe remove tap0901Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe tapinstall.exe install OemVista.inf tap0901Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\sc.exe sc stop fastestvpndriverJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "x86" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\reg.exe reg QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\find.exe find /i "Windows 7" Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\xcopy.exe xcopy /y driver\windows8\amd64\fastestvpndriver.sys C:\Windows\system32\driversJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exe release\nfregdrv.exe -u fastestvpndriverJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exe release\nfregdrv.exe fastestvpndriverJump to behavior
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1532 -ip 1532
        Source: C:\Windows\System32\svchost.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1076
        Source: C:\Program Files\FastestVPN\FastestVPN.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "powershell" -windowstyle hidden get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
        Source: FastestVPN.exe, FastestVPN.exe, 00000021.00000002.4030148839.00000000062B2000.00000002.00000001.01000000.0000001F.sdmpBinary or memory string: Shell_TrayWnd
        Source: PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, is-7E4EB.tmp.1.drBinary or memory string: RegDeleteKeyWRegEnumKeyExWRegEnumValueWRegOpenKeyExWRoundingMode(RtlGetVersionRtlInitStringRtlMoveMemorySelectedCountSetBrushOrgExSetScrollInfoSetWindowLongShellExecuteWShell_TrayWndShutting downStartServiceWStarting%s %sSysFreeStringSysListView32Thread32FirstUnknown stateValueOverflowVirtualUnlockWTSFreeMemoryWireGuard: %sWriteConsoleWbad flushGen bad map statedalTLDpSugct?debugCall2048effect == nilexchange fullfatal error: getTypeInfo: gethostbynamegetservbynameinvalid UTF-8invalid base invalid indexinvalid stylelevel 3 resetload64 failedmin too largenil stackbasenot availableout of memoryparsing time runtime: seq=runtime: val=srmount errortimer expiredtraceStackTabvalue method wglShareListswireguard-%s-wireguard.dllxadd64 failedxchg64 failed}
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C91B20 cpuid 10_2_00007FF798C91B20
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: EnumSystemLocalesW,10_2_00007FF798C77A70
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: EnumSystemLocalesW,10_2_00007FF798C77BF8
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: EnumSystemLocalesW,10_2_00007FF798C77B7C
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: GetLocaleInfoW,10_2_00007FF798C85120
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_00007FF798C85278
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: GetLocaleInfoW,10_2_00007FF798C8534C
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,10_2_00007FF798C85478
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,10_2_00007FF798C84960
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: try_get_function,GetLocaleInfoW,10_2_00007FF798C78B44
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: EnumSystemLocalesW,10_2_00007FF798C84CB8
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: EnumSystemLocalesW,10_2_00007FF798C84E0C
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: EnumSystemLocalesW,10_2_00007FF798C84D3C
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,10_2_00007FF798C84ED0
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: GetLocaleInfoA,26_2_00406C2C
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: GetLocaleInfoA,26_2_10011E31
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,48_2_00007FF6DB6D1CCC
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,48_2_00007FF6DB6D1C1C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,48_2_00007FF6DB6D13C4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,48_2_00007FF6DB6C8A9C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,48_2_00007FF6DB6D1AC4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,48_2_00007FF6DB6D1878
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,48_2_00007FF6DB6D17E0
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,48_2_00007FF6DB6D1710
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,48_2_00007FF6DB6C8704
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,48_2_00007FF6DB6D1DF8
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,48_2_00007FF8A843A138
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,48_2_00007FF8A843111C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,48_2_00007FF8A843A208
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,48_2_00007FF8A8439DEC
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,48_2_00007FF8A843A644
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoEx,48_2_00007FF8A8418E68
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,48_2_00007FF8A8431660
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,48_2_00007FF8A843A820
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,48_2_00007FF8A84CA90C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,48_2_00007FF8A84D3928
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,48_2_00007FF8A84D39F8
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,48_2_00007FF8A84D35DC
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,48_2_00007FF8A84CAE50
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoEx,48_2_00007FF8A84B2658
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,48_2_00007FF8A84D3E34
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,48_2_00007FF8A84D4010
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW,48_2_00007FF8A853C1E4
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,48_2_00007FF8A853CA3C
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,48_2_00007FF8A853CAEC
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,48_2_00007FF8A85343DC
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,48_2_00007FF8A853CC18
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,48_2_00007FF8A853C530
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: EnumSystemLocalesW,48_2_00007FF8A853C600
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,48_2_00007FF8A853C698
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,48_2_00007FF8A8534774
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: GetLocaleInfoW,48_2_00007FF8A853C8E4
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C44820 SetupDiGetDeviceRegistryPropertyW,GetLastError,SetupDiGetDeviceRegistryPropertyW,10_2_00007FF798C44820
        Source: C:\Windows\System32\reg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Windows\System32\reg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Windows\System32\reg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Windows\System32\reg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Windows\System32\reg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Windows\System32\reg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
        Source: C:\Windows\System32\reg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
        Source: C:\Windows\System32\reg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
        Source: C:\Windows\System32\reg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
        Source: C:\Windows\System32\reg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
        Source: C:\Windows\System32\reg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
        Source: C:\Windows\System32\reg.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
        Source: C:\Windows\System32\reg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
        Source: C:\Windows\System32\reg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion ProductId
        Source: C:\Windows\System32\reg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
        Source: C:\Windows\System32\reg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId4
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmpQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeQueries volume information: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tap0901.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\drvinst.exeQueries volume information: C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\tap0901.cat VolumeInformationJump to behavior
        Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.AspNet.SignalR.Core.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.Common.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\FastestVPN.exe VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\SingleInstanceApplication.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\FastestVPN.Common.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\FastestVPN.DI.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\Microsoft.Extensions.DependencyInjection.Abstractions.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\Microsoft.Extensions.DependencyInjection.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\Microsoft.Bcl.AsyncInterfaces.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\System.Threading.Tasks.Extensions.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\FastestVPN.ViewModel.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\VPN.Common.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\FastestVPN.Diagnostics.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\FastestVPN.BLL.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\FastestVPN.Data.Local.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\FastestVPN.Data.Remote.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\Hardcodet.NotifyIcon.Wpf.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\WpfAnimatedGif.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\Newtonsoft.Json.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\PresentationFramework-SystemXml\v4.0_4.0.0.0__b77a5c561934e089\PresentationFramework-SystemXml.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\Microsoft.AppCenter.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\Microsoft.AppCenter.Analytics.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\Microsoft.AppCenter.Crashes.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.CSharp\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.CSharp.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Dynamic\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Dynamic.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\SQLitePCLRaw.batteries_v2.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\SQLitePCLRaw.core.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\SQLitePCLRaw.provider.dynamic_cdecl.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\netstandard\v4.0_2.0.0.0__cc7b13ffcd2ddd51\netstandard.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\System.Memory.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.InteropServices.RuntimeInformation\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Runtime.InteropServices.RuntimeInformation.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\System.Runtime.CompilerServices.Unsafe.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Deployment\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.AspNet.SignalR.Core.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.Common.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\FastestVPN.Common.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Hosting.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.Owin.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Owin.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Host.HttpListener.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\FastestVPN.Common.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\fix-dns-leak-32.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\iphelperclose.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.AspNet.SignalR.Core.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.AspNet.SignalR.Core.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Cors.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Cors.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Diagnostics.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Diagnostics.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.Owin.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Host.HttpListener.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Security.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Security.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Newtonsoft.Json.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Newtonsoft.Json.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\nfapi.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Owin.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\System.Web.Cors.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\System.Web.Cors.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.AdvancedNetwork.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.AdvancedNetwork.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.Common.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.Common.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.OpenVpn.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.OpenVpn.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.RAS.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.RAS.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\FastestVPN.Common.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\fix-dns-leak-32.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\iphelperclose.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.AspNet.SignalR.Core.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Microsoft.Owin.Cors.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\Owin.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.AdvancedNetwork.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.OpenVpn.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.RAS.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\VPN.WireGuard.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Program Files\FastestVPN\Service\subinacl.exe VolumeInformation
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
        Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\FastestVPN.exe VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Program Files\FastestVPN\SingleInstanceApplication.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation
        Source: C:\Program Files\FastestVPN\FastestVPN.exeCode function: 33_2_013427C8 CreateNamedPipeA,33_2_013427C8
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeCode function: 10_2_00007FF798C78BC8 try_get_function,GetSystemTimeAsFileTime,10_2_00007FF798C78BC8
        Source: C:\Program Files\FastestVPN\subinacl.exeCode function: 43_2_0102E7AC __EH_prolog,#540,#2755,#858,#2910,#2910,LookupAccountNameW,#861,#942,#940,#4197,#4197,#800,#2910,#2910,LookupAccountNameW,#858,43_2_0102E7AC
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeCode function: 48_2_00007FF8A8435CAC _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation,48_2_00007FF8A8435CAC
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_00401160 GetStartupInfoA,GetProcessHeap,GetProcessHeap,HeapAlloc,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,__amsg_exit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__amsg_exit,__setenvp,__amsg_exit,__cinit,__amsg_exit,__wincmdln,26_2_00401160
        Source: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Lowering of HIPS / PFW / Operating System Security Settings

        barindex
        Uses netsh to modify the Windows network and firewall settings
        Source: C:\Program Files\FastestVPN\Resources\ComDebug.exeProcess created: C:\Windows\SysWOW64\netsh.exe C:\Windows\SysWOW64\netsh.exe
        Source: C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

        Stealing of Sensitive Information

        barindex
        Modifies the DNS server
        Source: C:\Windows\System32\svchost.exeRegistry value created: Jump to behavior
        Source: FastestVPN.WindowsService.exe, 0000002F.00000002.4010652534.0000000003A42000.00000002.00000001.01000000.00000034.sdmpBinary or memory string: OWIN_SERVER@Microsoft.Owin.Host.HttpListener
        Source: FastestVPN.WindowsService.exe, 0000002F.00000002.4010652534.0000000003A42000.00000002.00000001.01000000.00000034.sdmpBinary or memory string: OWIN_SERVERAMicrosoft.Owin.Host.HttpListenerPORT
        Source: FastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OWIN_SERVER
        Source: FastestVPN.WindowsService.exeBinary or memory string: WIN_SERVER
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_10014170 ?nf_deleteBindingRules@nfapi@@YA?AW4_NF_STATUS@@XZ,EnterCriticalSection,LeaveCriticalSection,DeviceIoControl,LeaveCriticalSection,LeaveCriticalSection,26_2_10014170
        Source: C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exeCode function: 26_2_100141E0 ?nf_addBindingRule@nfapi@@YA?AW4_NF_STATUS@@PAU_NF_BINDING_RULE@1@H@Z,EnterCriticalSection,LeaveCriticalSection,DeviceIoControl,LeaveCriticalSection,LeaveCriticalSection,26_2_100141E0

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information1
        Scripting        		1
        Valid Accounts        		1
        Windows Management Instrumentation        		1
        Scripting        		1
        Abuse Elevation Control Mechanism        		111
        Disable or Modify Tools        		1
        Network Sniffing        		2
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts1
        Native API        		1
        LSASS Driver        		1
        LSASS Driver        		1
        Deobfuscate/Decode Files or Information        		11
        Input Capture        		1
        Account Discovery        		Remote Desktop Protocol11
        Input Capture        		1
        Non-Application Layer Protocol        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts13
        Command and Scripting Interpreter        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		1
        Abuse Elevation Control Mechanism        		Security Account Manager4
        File and Directory Discovery        		SMB/Windows Admin SharesData from Network Shared Drive1
        Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal Accounts13
        Service Execution        		1
        Valid Accounts        		1
        Valid Accounts        		3
        Obfuscated Files or Information        		NTDS1
        Network Sniffing        		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud Accounts1
        PowerShell        		45
        Windows Service        		11
        Access Token Manipulation        		2
        Software Packing        		LSA Secrets195
        System Information Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled Task2
        Registry Run Keys / Startup Folder        		45
        Windows Service        		1
        Timestomp        		Cached Domain Credentials2
        Query Registry        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items13
        Process Injection        		1
        DLL Side-Loading        		DCSync251
        Security Software Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/Job2
        Registry Run Keys / Startup Folder        		1
        File Deletion        		Proc Filesystem2
        Process Discovery        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt33
        Masquerading        		/etc/passwd and /etc/shadow61
        Virtualization/Sandbox Evasion        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
        Valid Accounts        		Network Sniffing1
        Application Window Discovery        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
        Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd2
        Modify Registry        		Input Capture3
        System Owner/User Discovery        		Software Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
        Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task61
        Virtualization/Sandbox Evasion        		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking
        Determine Physical LocationsVirtual Private ServerCompromise Hardware Supply ChainUnix ShellSystemd TimersSystemd Timers11
        Access Token Manipulation        		GUI Input CapturePermission Groups DiscoveryReplication Through Removable MediaEmail CollectionProxyExfiltration over USBNetwork Denial of Service
        Business RelationshipsServerTrusted RelationshipVisual BasicContainer Orchestration JobContainer Orchestration Job13
        Process Injection        		Web Portal CaptureLocal GroupsComponent Object Model and Distributed COMLocal Email CollectionInternal ProxyCommonly Used PortDirect Network Flood

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1524840 Sample: PVUfopbGfc.exe Startdate: 03/10/2024 Architecture: WINDOWS Score: 54 99 fp2e7a.wpc.phicdn.net 2->99 101 fp2e7a.wpc.2be4.phicdn.net 2->101 103 15.164.165.52.in-addr.arpa 2->103 117 Malicious sample detected (through community Yara rule) 2->117 119 Multi AV Scanner detection for dropped file 2->119 121 Multi AV Scanner detection for submitted file 2->121 123 4 other signatures 2->123 10 PVUfopbGfc.exe 2 2->10         started        13 svchost.exe 2 2->13         started        15 FastestVPN.WindowsService.exe 2->15         started        18 5 other processes 2->18 signatures3 process4 dnsIp5 91 C:\Users\user\AppData\...\PVUfopbGfc.tmp, PE32 10->91 dropped 21 PVUfopbGfc.tmp 28 177 10->21         started        24 drvinst.exe 12 13->24         started        26 drvinst.exe 43 2 13->26         started        125 Reads the Security eventlog 15->125 127 Reads the System eventlog 15->127 105 127.0.0.1 unknown unknown 18->105 129 Suspicious powershell command line found 18->129 131 Modifies the DNS server 18->131 28 powershell.exe 18->28         started        30 WerFault.exe 18->30         started        file6 signatures7 process8 file9 75 C:\Program Files\...\unins000.exe (copy), PE32 21->75 dropped 77 C:\Program Files\...\subinacl.exe (copy), PE32 21->77 dropped 79 C:\Program Files\...\nfapi.dll (copy), PE32 21->79 dropped 89 220 other files (198 malicious) 21->89 dropped 32 ComDebug.exe 21->32         started        36 cmd.exe 1 21->36         started        38 cmd.exe 1 21->38         started        42 7 other processes 21->42 81 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 24->81 dropped 83 C:\Windows\System32\...\SETFBE4.tmp, PE32+ 24->83 dropped 85 C:\Windows\System32\...\tap0901.sys (copy), PE32+ 26->85 dropped 87 C:\Windows\System32\drivers\SET586.tmp, PE32+ 26->87 dropped 40 conhost.exe 28->40         started        process10 file11 67 C:\Users\user\...\window_size_plugin.dll, PE32+ 32->67 dropped 69 C:\Users\user\...\window_manager_plugin.dll, PE32+ 32->69 dropped 71 C:\Users\...\url_launcher_windows_plugin.dll, PE32+ 32->71 dropped 73 9 other malicious files 32->73 dropped 107 Found direct / indirect Syscall (likely to bypass EDR) 32->107 44 netsh.exe 32->44         started        109 Uses cmd line tools excessively to alter registry or file data 36->109 111 Queries sensitive system registry key value via command line tool 36->111 46 tapinstall.exe 1 8 36->46         started        49 reg.exe 1 36->49         started        51 conhost.exe 36->51         started        57 3 other processes 36->57 53 xcopy.exe 38->53         started        55 sc.exe 1 38->55         started        59 7 other processes 38->59 113 Reads the Security eventlog 42->113 115 Reads the System eventlog 42->115 61 5 other processes 42->61 signatures12 process13 file14 63 conhost.exe 44->63         started        93 C:\Users\user\AppData\...\tap0901.sys (copy), PE32+ 46->93 dropped 95 C:\Users\user\AppData\Local\...\SETF8E6.tmp, PE32+ 46->95 dropped 97 C:\Windows\System32\...\fastestvpndriver.sys, PE32+ 53->97 dropped 65 conhost.exe 55->65         started        process15

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        PVUfopbGfc.exe21%ReversingLabs

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Program Files\FastestVPN\BouncyCastle.Crypto.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\FastestVPN.BLL.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\FastestVPN.Common.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\FastestVPN.DI.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\FastestVPN.Data.Local.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\FastestVPN.Data.Remote.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\FastestVPN.Diagnostics.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\FastestVPN.ViewModel.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\FastestVPN.exe (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Flurl.Http.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Flurl.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Hardcodet.NotifyIcon.Wpf.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Microsoft.AppCenter.Analytics.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Microsoft.AppCenter.Crashes.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Microsoft.AppCenter.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Microsoft.AspNet.SignalR.Client.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Microsoft.Bcl.AsyncInterfaces.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Microsoft.Extensions.DependencyInjection.Abstractions.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Microsoft.Extensions.DependencyInjection.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Newtonsoft.Json.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\ComDebug.exe (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\desktop_drop_plugin.dll (copy)62%ReversingLabsWin64.Downloader.Rugmi
        C:\Program Files\FastestVPN\Resources\desktop_multi_window_plugin.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\devcon.exe (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-7ND37.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-H7LPP.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tap0901.sys (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-K6RGO.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-U2LBU.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows10\i386\tap0901.sys (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows10\i386\tapinstall.exe (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-BL4HS.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-HFF22.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows\amd64\tap0901.sys (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows\amd64\tapinstall.exe (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-L35S6.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-QQCFD.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows\i386\tap0901.sys (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\driver\windows\i386\tapinstall.exe (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\file_selector_windows_plugin.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\flutter_custom_cursor_plugin.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\flutter_gpu_texture_renderer_plugin.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\flutter_windows.dll (copy)0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-164FL.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-1EFGP.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-28E9M.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-3J4SO.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-56J26.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-6P3FR.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-6VF2K.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-7E4EB.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-7ILAT.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-83O8B.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-8JVLF.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-8LAO7.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-942TQ.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-9JICR.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-B80D1.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-DN2OR.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-FJOGB.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-J64KK.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-KM19Q.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-N1V1C.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-O73C0.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-O850J.tmp62%ReversingLabsWin64.Downloader.Rugmi
        C:\Program Files\FastestVPN\Resources\is-PA9AI.tmp0%ReversingLabs
        C:\Program Files\FastestVPN\Resources\is-PN3F9.tmp0%ReversingLabs

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        https://www.innosetup.com/0%URL Reputationsafe
        http://ip-api.com/json0%URL Reputationsafe
        http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/02/trust/Issue0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/02/sc0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        NameIPActiveMaliciousAntivirus DetectionReputation
        fp2e7a.wpc.phicdn.net
        		192.229.221.95
        		truefalse
          		unknown
          15.164.165.52.in-addr.arpa
          		unknown
          		unknownfalse
            		unknown

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            http://ocsp.suscerte.gob.ve0FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpfalse
              		unknown
              http://schemas.datacontract.orgFastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmpfalse
                		unknown
                http://anglebug.com/8280enableTranslatedShaderSubstitutionCheckComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                  		unknown
                  http://anglebug.com/4633ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                    		unknown
                    http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#ComDebug.exe, 00000030.00000003.3054344058.000001869CA96000.00000004.00000001.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059189309.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058677131.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059676809.000001869A311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059740054.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3058777370.000001869C311000.00000004.00000020.00020000.00000000.sdmp, ComDebug.exe, 00000030.00000003.3059246630.000001869C311000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-164FL.tmp.1.dr, is-RE19F.tmp.1.dr, file_selector_windows_plugin.dll.48.dr, is-J64KK.tmp.1.drfalse
                      		unknown
                      https://anglebug.com/7382ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                        		unknown
                        https://github.com/aspnet/AspNetKatanadFastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-svchost.exe, 00000023.00000003.2690706263.0000023FDB174000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            https://crbug.com/1356053ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                              		unknown
                              http://www.suscerte.gob.ve/dpc0FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                		unknown
                                http://schemas.datacontract.org/2004/07/System.ServiceProcessFastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://www.entrust.netFastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://github.com/dotnet/corefx/tree/7601f4f6225089ffFastestVPN.exefalse
                                      		unknown
                                      https://scripts.sil.org/OFLFastestVPN.exe, 00000021.00000002.4038415268.0000000009192000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://www.fastestvpn.com/PVUfopbGfc.exe, 00000000.00000003.3123714779.0000000000A76000.00000004.00001000.00020000.00000000.sdmp, PVUfopbGfc.exe, 00000000.00000003.2126476328.0000000002790000.00000004.00001000.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.2131921729.00000000033C0000.00000004.00001000.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://crbug.com/110263ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                            		unknown
                                            https://www.innosetup.com/PVUfopbGfc.exe, 00000000.00000003.2128223280.000000007FB7B000.00000004.00001000.00020000.00000000.sdmp, PVUfopbGfc.exe, 00000000.00000003.2127540219.0000000002790000.00000004.00001000.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000000.2129803767.0000000000401000.00000020.00000001.01000000.00000004.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            http://anglebug.com/6929ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                              		unknown
                                              http://signalr.net/FastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000001E.00000002.3013228401.0000000005312000.00000002.00000001.01000000.0000000E.sdmpfalse
                                                		unknown
                                                https://in.appcenter.ms./logs?api-version=1.0.0FastestVPN.exe, 00000021.00000002.4033102283.00000000067C2000.00000002.00000001.01000000.0000002A.sdmpfalse
                                                  		unknown
                                                  http://Passport.NET/tb_svchost.exe, 00000023.00000002.4003437790.0000023FDAAC2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    https://login.icrosoftonlsvchost.exe, 00000023.00000002.4002959664.0000023FDAA52000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://anglebug.com/7246ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                        		unknown
                                                        https://anglebug.com/7369ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                          		unknown
                                                          https://anglebug.com/7489ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                            		unknown
                                                            https://crbug.com/593024ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                              		unknown
                                                              http://crl.ver)svchost.exe, 00000023.00000003.2587704055.0000023FDAAE6000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4003612909.0000023FDAADD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://issuetracker.google.com/161903006ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/02/trust/Issueuesvchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://crbug.com/1300575ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                      		unknown
                                                                      https://crbug.com/710443ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                        		unknown
                                                                        https://crbug.com/1060012ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                          		unknown
                                                                          http://Passport.NET/STS&lt;/ds:KeyName&gt;&lt;/ds:KeyInfo&gt;svchost.exe, 00000023.00000002.4004637528.0000023FDB837000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://anglebug.com/3997ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                              		unknown
                                                                              http://anglebug.com/4722ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                		unknown
                                                                                http://crbug.com/642605ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                  		unknown
                                                                                  https://github.com/hardcodet/wpf-notifyiconFastestVPN.exe, FastestVPN.exe, 00000021.00000002.4030148839.00000000062B2000.00000002.00000001.01000000.0000001F.sdmpfalse
                                                                                    		unknown
                                                                                    http://anglebug.com/1452ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                      		unknown
                                                                                      https://login.microsoftonline.com/ppsecure/ResolveUser.srfsuersvchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		unknown
                                                                                        http://ocsp.entrust_FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdessvchost.exe, 00000023.00000003.2673565640.0000023FDB16D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2673599266.0000023FDB176000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            http://crl.entrust.net/ts2ca.crl0PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.exe, 00000021.00000002.4037191355.0000000008DC7000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3024841016.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-9A2GQ.tmp.1.dr, is-164FL.tmp.1.dr, is-3DN0E.tmp.1.dr, is-RE19F.tmp.1.drfalse
                                                                                              		unknown
                                                                                              https://crbug.com/650547callClearTwiceUsingComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                		unknown
                                                                                                http://crl.entrust.net/g2ca.crl0PVUfopbGfc.tmp, 00000001.00000002.3116503971.000000000018C000.00000004.00000010.00020000.00000000.sdmp, PVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3024841016.0000000000DA0000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3022792423.0000000000C05000.00000004.00000020.00020000.00000000.sdmp, is-1EFGP.tmp.1.dr, is-9A2GQ.tmp.1.dr, is-164FL.tmp.1.dr, is-3DN0E.tmp.1.dr, is-RE19F.tmp.1.drfalse
                                                                                                  		unknown
                                                                                                  http://crbug.com/1420130ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                    		unknown
                                                                                                    http://anglebug.com/3502ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                      		unknown
                                                                                                      http://anglebug.com/3623ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                        		unknown
                                                                                                        http://anglebug.com/3625ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://login.microsoftonline.com/ppsecure/deviceremovecredential.srfsvchost.exe, 00000023.00000002.4002959664.0000023FDAA52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2575547972.0000023FDB110000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            http://anglebug.com/3624ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                              		unknown
                                                                                                              http://anglebug.com/2894ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                		unknown
                                                                                                                http://ip-api.com/jsonFastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027602256.0000000005FF2000.00000002.00000001.01000000.0000001E.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://login.microsoftonline.com/ppsecure/DeviceQuery.srfsvchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576249124.0000023FDB163000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  http://anglebug.com/3862ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://www.wireguard.com/donations/keyPVUfopbGfc.tmp, 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, is-7E4EB.tmp.1.drfalse
                                                                                                                      		unknown
                                                                                                                      http://schemas.datacontract.org/2004/07/System.ServiceProcessdFastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		unknown
                                                                                                                        http://anglebug.com/4836ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                          		unknown
                                                                                                                          https://issuetracker.google.com/issues/166475273ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                            		unknown
                                                                                                                            http://www.correo.com.uy/correocert/cps.pdf0FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		unknown
                                                                                                                              http://anglebug.com/3970ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                		unknown
                                                                                                                                http://www.w3.osvchost.exe, 00000023.00000002.4003744491.0000023FDAB02000.00000004.00000020.00020000.00000000.sdmp, FastestVPN.WindowsService.exe, 0000002A.00000002.3025246544.0000000002795000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		unknown
                                                                                                                                  http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdsvchost.exe, 00000023.00000002.4004044511.0000023FDB100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2618421493.0000023FDB107000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2637808568.0000023FDB108000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  • URL Reputation: safe
                                                                                                                                  		unknown
                                                                                                                                  https://signup.live.com/signup.aspxsvchost.exe, 00000023.00000003.2576049788.0000023FDB13B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4002841592.0000023FDAA2B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576184138.0000023FDB140000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2575702483.0000023FDB155000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576002297.0000023FDB14D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		unknown
                                                                                                                                    https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80601svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		unknown
                                                                                                                                      https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80603svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		unknown
                                                                                                                                        http://anglebug.com/5901ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                          		unknown
                                                                                                                                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAAsvchost.exe, 00000023.00000003.2637478660.0000023FDB129000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                            		unknown
                                                                                                                                            http://anglebug.com/3965ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                              		unknown
                                                                                                                                              https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80605svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576747060.0000023FDB12A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                		unknown
                                                                                                                                                https://anglebug.com/7161ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                  		unknown
                                                                                                                                                  https://account.live.com/inlinesignup.aspx?iww=1&amp;id=80604svchost.exe, 00000023.00000003.2575702483.0000023FDB152000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000003.2576533166.0000023FDB156000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                    		unknown
                                                                                                                                                    https://github.com/ericsink/SQLitePCL.rawXFastestVPN.exe, 00000021.00000002.4047258906.000000000C262000.00000002.00000001.01000000.0000002E.sdmpfalse
                                                                                                                                                      		unknown
                                                                                                                                                      https://anglebug.com/7162ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                        		unknown
                                                                                                                                                        http://anglebug.com/3729ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                          		unknown
                                                                                                                                                          http://anglebug.com/5906ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                            		unknown
                                                                                                                                                            http://crbug.com/830046ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                              		unknown
                                                                                                                                                              http://anglebug.com/2517ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                		unknown
                                                                                                                                                                http://anglebug.com/4937ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                  		unknown
                                                                                                                                                                  https://fastestvpn.com/faq?device=windowsFastestVPN.exe, FastestVPN.exe, 00000021.00000002.4027000296.0000000005F82000.00000002.00000001.01000000.00000019.sdmpfalse
                                                                                                                                                                    		unknown
                                                                                                                                                                    https://issuetracker.google.com/166809097ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                      		unknown
                                                                                                                                                                      http://ocsp.digicert.coComDebug.exe, 00000030.00000002.4002071785.000001869C150000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        		unknown
                                                                                                                                                                        http://schemas.xmlsoap.org/ws/2005/02/trust/Issuesvchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                        • URL Reputation: safe
                                                                                                                                                                        		unknown
                                                                                                                                                                        https://github.com/ericsink/SQLitePCL.rawHFastestVPN.exe, 00000021.00000002.4047412647.000000000C282000.00000002.00000001.01000000.0000002F.sdmp, is-3DN0E.tmp.1.drfalse
                                                                                                                                                                          		unknown
                                                                                                                                                                          http://crbug.com/672380ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                            		unknown
                                                                                                                                                                            https://github.com/SignalR/SignalR/tree/7f53f266daf1aad3dabb1b6d7a71d4c1501ec8dcFastestVPN.WindowsService.exe, FastestVPN.WindowsService.exe, 0000001E.00000002.3013228401.0000000005312000.00000002.00000001.01000000.0000000E.sdmpfalse
                                                                                                                                                                              		unknown
                                                                                                                                                                              https://g.live.com/odclientsettings/Prod/C:svchost.exe, 00000026.00000003.2583646117.000001E7592A3000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                		unknown
                                                                                                                                                                                http://crbug.com/941620allowTranslateUniformBlockToStructuredBufferThereComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/02/scsvchost.exe, 00000023.00000003.2673467981.0000023FDB184000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004487236.0000023FDB184000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000023.00000002.4004331371.0000023FDB15F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  • URL Reputation: safe
                                                                                                                                                                                  		unknown
                                                                                                                                                                                  http://anglebug.com/3832ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                                    		unknown
                                                                                                                                                                                    https://crbug.com/811661ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                                      		unknown
                                                                                                                                                                                      https://github.com/SignalR/SignalR/tree/7f53f266daf1aad3dabb1b6d7a71d4c1501ec8dcdFastestVPN.WindowsService.exe, 0000002F.00000002.4006061122.0000000000FCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		unknown
                                                                                                                                                                                        http://anglebug.com/8172ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                                          		unknown
                                                                                                                                                                                          http://www.datev.de/zertifikat-policy-bt0FastestVPN.exe, 00000021.00000002.4040886927.000000000B5B1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		unknown
                                                                                                                                                                                            https://crbug.com/1091824ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                                              		unknown
                                                                                                                                                                                              http://anglebug.com/1085ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                                                		unknown
                                                                                                                                                                                                https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupUPVUfopbGfc.exe, 00000000.00000000.2126055676.0000000000401000.00000020.00000001.01000000.00000003.sdmpfalse
                                                                                                                                                                                                  		unknown
                                                                                                                                                                                                  http://anglebug.com/6651ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                                                    		unknown
                                                                                                                                                                                                    https://anglebug.com/4830ComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                                                      		unknown
                                                                                                                                                                                                      http://anglebug.com/5007disableDrawBuffersIndexedDisableComDebug.exe, 00000030.00000002.4009726276.00007FF8A8008000.00000002.00000001.01000000.00000045.sdmpfalse
                                                                                                                                                                                                        		unknown
                                                                                                                                                                                                        https://github.com/dotnet/corefx/tree/c6cf790234e063b855fcdb50f3fb1b3cfac732758FastestVPN.exe, 00000021.00000002.4047875216.000000000C2F2000.00000002.00000001.01000000.00000030.sdmpfalse
                                                                                                                                                                                                          		unknown

                                                                                                                                                                                                          World Map of Contacted IPs

                                                                                                                                                                                                          • No. of IPs < 25%
                                                                                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                                                                                          • 75% < No. of IPs

                                                                                                                                                                                                          Public IPs

                                                                                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious

                                                                                                                                                                                                          Private

                                                                                                                                                                                                          IP
                                                                                                                                                                                                          127.0.0.1

                                                                                                                                                                                                          General Information

                                                                                                                                                                                                          Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                          Analysis ID:1524840
                                                                                                                                                                                                          Start date and time:2024-10-03 10:42:18 +02:00
                                                                                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                                                                                          Overall analysis duration:0h 14m 9s
                                                                                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                                                                                          Report type:full
                                                                                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                                                                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                          Run name:Run with higher sleep bypass
                                                                                                                                                                                                          Number of analysed new started processes analysed:53
                                                                                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                                                                                          Technologies:
                                                                                                                                                                                                          • HCA enabled
                                                                                                                                                                                                          • EGA enabled
                                                                                                                                                                                                          • AMSI enabled
                                                                                                                                                                                                          Analysis Mode:default
                                                                                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                                                                                          Sample name:PVUfopbGfc.exe
                                                                                                                                                                                                          renamed because original name is a hash value
                                                                                                                                                                                                          Original Sample Name:402aacbb8dc07d96733eee2292f709d89d65efbe82d55e0dd4b7764cdde287b5.exe
                                                                                                                                                                                                          Detection:MAL
                                                                                                                                                                                                          Classification:mal54.troj.spyw.expl.evad.winEXE@78/368@1/1
                                                                                                                                                                                                          EGA Information:
                                                                                                                                                                                                          • Successful, ratio: 77.8%
                                                                                                                                                                                                          HCA Information:
                                                                                                                                                                                                          • Successful, ratio: 96%
                                                                                                                                                                                                          • Number of executed functions: 158
                                                                                                                                                                                                          • Number of non-executed functions: 235
                                                                                                                                                                                                          Cookbook Comments:
                                                                                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                                                                                          • Sleeps bigger than 100000000ms are automatically reduced to 1000ms

                                                                                                                                                                                                          Warnings

                                                                                                                                                                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                          • Excluded IPs from analysis (whitelisted): 192.229.221.95, 40.126.32.136, 40.126.32.74, 40.126.32.134, 40.126.32.76, 40.126.32.72, 20.190.160.14, 40.126.32.68, 20.190.160.22, 184.28.90.27, 104.208.16.94
                                                                                                                                                                                                          • Excluded domains from analysis (whitelisted): www.bing.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, slscr.update.microsoft.com, www.tm.v4.a.prd.aadg.akadns.net, cacerts.digicert.com, ctldl.windowsupdate.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, ocsps.ssl.com, login.live.com, e16604.g.akamaiedge.net, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net, www.tm.lg.prod.aadmsa.trafficmanager.net, onedsblobprdcus16.centralus.cloudapp.azure.com
                                                                                                                                                                                                          • Execution Graph export aborted for target ComDebug.exe, PID 1164 because there are no executed function
                                                                                                                                                                                                          • Execution Graph export aborted for target powershell.exe, PID 2360 because it is empty
                                                                                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                          • VT rate limit hit for: PVUfopbGfc.exe

                                                                                                                                                                                                          Simulations

                                                                                                                                                                                                          Behavior and APIs

                                                                                                                                                                                                          TimeTypeDescription
                                                                                                                                                                                                          10:43:51AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FastestVPN.lnk

                                                                                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                                                                                          IPs

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Domains

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          fp2e7a.wpc.phicdn.netOqAVRCkQ3T.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 192.229.221.95
                                                                                                                                                                                                          OqAVRCkQ3T.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                          • 192.229.221.95
                                                                                                                                                                                                          mapMd1URzq.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 192.229.221.95
                                                                                                                                                                                                          mnFHs2DuKg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 192.229.221.95
                                                                                                                                                                                                          https://email.mg.pmctraining.com/c/eJwkkcuSojAUhp_muJOKJyHAgoXTyMw41lxaa9TepZNwkUvoEER8-i7o3Vf5_tS5qVhRobla6XgTYBCSaMP9VRFHAWWMaKZYqJifqSALMoEkyiiXWvBsVcZaCn-jwmCtA63XQaTFmoVhuNZSURVo5RPCgJEm97pGOivKtmxzT5pmVceFc10PdAuYAqbjOHq5MXmtPWm8oQJMB1sDTT-AJqz9rc_hMPwrt93h9id50qkA5FY6oMnlyEiJ-zFZQtMkT4C8F0ATB8h1byXQL5fmu5cteUx9uGswPcwxM1ipgSaAXKr5y5GfwtqEw05apk_lGF1-zE7M8tL9rZJs_1WwTvb_j-QKyO96lo9bW7n6w07X8_j289urze-_APkgliZnmsdJRNMB-pjWMhN9UZrWWd2qft7J8l6Zyiyw3-TiuJAUnZOFWBgwvZ4fncRoODRdcUW3VU39FJfX5xUj8v49Hd5e_Ns7EqDJysaiLnvTejchK2DkXval66VxtWjVcoZ7jJ8BAAD__0X-oIkGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                          • 192.229.221.95
                                                                                                                                                                                                          oRdgOQMxjr.exeGet hashmaliciousRedLineBrowse
                                                                                                                                                                                                          • 192.229.221.95
                                                                                                                                                                                                          https://globalairt.com/arull.php?7104797967704b536932307464507a53744a4c53704a7a4d77727273784c7a7453725374524c7a732f564c3477776474594841413d3dkkirkman@ssc.nsw.gov.auGet hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                          • 192.229.221.95
                                                                                                                                                                                                          v173TV3V11.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                                                          • 192.229.221.95
                                                                                                                                                                                                          0k3ibTiMjy.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                                                                                          • 192.229.221.95

                                                                                                                                                                                                          ASNs

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          JA3 Fingerprints

                                                                                                                                                                                                          No context

                                                                                                                                                                                                          Dropped Files

                                                                                                                                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                          C:\Program Files\FastestVPN\BouncyCastle.Crypto.dll (copy)OqAVRCkQ3T.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                            OqAVRCkQ3T.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                              mapMd1URzq.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                mnFHs2DuKg.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                  External.exeGet hashmaliciousAdes Stealer, BlackGuard, VEGA StealerBrowse
                                                                                                                                                                                                                    newvideozones.click.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                      use_2024_t#U043e_#U043epen.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                        JetBrains.dotPeek.2024.1.3.web.exeGet hashmaliciousUnknownBrowse

                                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\BouncyCastle.Crypto.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):3316968
                                                                                                                                                                                                                          Entropy (8bit):6.532906510598102
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY
                                                                                                                                                                                                                          MD5:0CF454B6ED4D9E46BC40306421E4B800
                                                                                                                                                                                                                          SHA1:9611AA929D35CBD86B87E40B628F60D5177D2411
                                                                                                                                                                                                                          SHA-256:E51721DC0647F4838B1ABC592BD95FD8CB924716E8A64F83D4B947821FA1FA42
                                                                                                                                                                                                                          SHA-512:85262F1BC67A89911640F59A759B476B30CA644BD1A1D9CD3213CC8AAE16D7CC6EA689815F19B146DB1D26F7A75772CEB48E71E27940E3686A83EB2CF7E46048
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                                                                          • Filename: OqAVRCkQ3T.exe, Detection: malicious, Browse
                                                                                                                                                                                                                          • Filename: OqAVRCkQ3T.exe, Detection: malicious, Browse
                                                                                                                                                                                                                          • Filename: mapMd1URzq.exe, Detection: malicious, Browse
                                                                                                                                                                                                                          • Filename: mnFHs2DuKg.exe, Detection: malicious, Browse
                                                                                                                                                                                                                          • Filename: External.exe, Detection: malicious, Browse
                                                                                                                                                                                                                          • Filename: newvideozones.click.ps1, Detection: malicious, Browse
                                                                                                                                                                                                                          • Filename: use_2024_t#U043e_#U043epen.zip, Detection: malicious, Browse
                                                                                                                                                                                                                          • Filename: JetBrains.dotPeek.2024.1.3.web.exe, Detection: malicious, Browse
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....6Q3...@.................................G&1.O.....2..............|2.. ....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.BLL.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):30888
                                                                                                                                                                                                                          Entropy (8bit):6.550270680442998
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:RzfFYXOvijvSGpUprWHEvgr0KnB4C7GrhIYiRSk0FP27NBY3Yuv+U:RxyOg9bxr9qaGKYi8K/Y/+U
                                                                                                                                                                                                                          MD5:96D7E9527C5D8BDBA798F72B5FD9B94A
                                                                                                                                                                                                                          SHA1:C9CE9813C74493084D6E3DDA37C35C8822CA381F
                                                                                                                                                                                                                          SHA-256:6942DC9FDBB229D066BA3E1844883B9DA3EAE21F7035FFF2674C3F19C6331B55
                                                                                                                                                                                                                          SHA-512:BE88433F513C4D9F58BDDFED57427DEC12BA0490E2D7C79176144732FBB7969956FA55B03E462C50EA3508389B3C29BC5A559F4B6002C6022C93D059C65B5C44
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f6............" ..0..F...........e... ........... ....................................`..................................e..O....................N...*...........d..8............................................ ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B................be......H.......\4..$0............................................................(....*..{....*"..}....*..{....*"..}....*V.(......(......(....*.0..7.........(....}.......}.......}......|......(...+..|....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(......(......(......(.......(....*.0..?.........(....}3......}4......}5......}2.....|3.....(...+..|3...(....*..0..7.........(....}#......}$......}".....|#.....(...+..|#...(....*..0..?.........(....}.......}

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.Common.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):70824
                                                                                                                                                                                                                          Entropy (8bit):6.23750269831583
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:rMDv5NwVvDK0HBDk4rVHe061i/kObvmaLLJBr+tTe7TK/SB0:UorK0HBDk4rV21HObvm2LJB4eHK/SO
                                                                                                                                                                                                                          MD5:0F7D6DEE75C3FBB958529AB6A351CBDF
                                                                                                                                                                                                                          SHA1:1CA639AB692ECD972C51C8BF826BF9BF089359FE
                                                                                                                                                                                                                          SHA-256:C5B07CBACD0FF045485A0A4CE6FB3CCB330A0623E3EFE347D61DA4E698FDE412
                                                                                                                                                                                                                          SHA-512:58F0B5ED44E3290D6C9FB0E624F2A351CD5BB4744A84AC55AC47FB1B087026DE4DBAA6BBC83255EEC51A2BB3ED9A680EF53E8FC7035586B4A74CA68016AE0F5D
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... F..........." ..0.............J.... ... ....... .......................`...........`.....................................O.... ...................*...@......D...8............................................ ............... ..H............text...P.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................,.......H.......0<................................................................("...*^.("......I...%...}....*:.(".....}....*b.{....%-.&*..s#...o$...*.0..)........{.........(%...t......|......(...+...3.*....0..)........{.........('...t......|......(...+...3.*..((...*..{....*"..}....*..{....*"..}....*..{....*"..}....*2.(....s)...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..((...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..((...*..{....*"..}....*..{

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.DI.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):19112
                                                                                                                                                                                                                          Entropy (8bit):6.821071301483957
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:LVVVVVwhr+vtlzIYilpm0FP27NBY3Yuv+Z:LVVVVVwhKvtl8YijnK/Y/+Z
                                                                                                                                                                                                                          MD5:64E2269D156CA2AA5704E2E0908506F9
                                                                                                                                                                                                                          SHA1:0F7D6EECE52D8A9A91E389736BE1092739AA3014
                                                                                                                                                                                                                          SHA-256:B012720952E3FE9CB303E9EDB4314F924CB388D9C24FB63A968A3479113B665D
                                                                                                                                                                                                                          SHA-512:C845E7EB96ED29C564C28D42F07F5EB81C27568F0F89C343533384BF8E704B99566EA073E46259D9F3740A7A3D41AAB5BFA78AEAB05697100B3A179F5C1EDFB6
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c............" ..0..............6... ...@....... ..............................hj....`.................................16..O....@............... ...*...`......t5..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................e6......H.......("..L............................................................~....*.......*..s....*..s....*..0..B.......(....,.*s....(....(....(....(....(....(.....(....(....(.....(....*..(...+*F.(...+(...+(...+*F.(...+(...+(...+*F.(...+(...+(...+*.0..f........(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+*..(...+*...0...........-..*....8.......%o.....%o.....o........E........ ...>...+X..(....-...(....+....(......+:..(....-...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.DI.dll.config (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):432
                                                                                                                                                                                                                          Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                          MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                          SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                          SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                          SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.Data.Local.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):25768
                                                                                                                                                                                                                          Entropy (8bit):6.623350319992477
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:21Vrp7wobZBVBhB3GmLiVWgktWe9JHEDIYirwt0FP27NBY3Yuv+1WyT1g:21VV7TbXX72MtWQJHEsYi/K/Y/+1Wy5g
                                                                                                                                                                                                                          MD5:D92BF2C8E0A192E18B1F0B24CCB75171
                                                                                                                                                                                                                          SHA1:2A6343C3409172E1D426B763151E0CBA3B35E473
                                                                                                                                                                                                                          SHA-256:BEED084878EACA4A745A53CC21FAAD1A76F4F82C955BB507496B5B9F23032F1C
                                                                                                                                                                                                                          SHA-512:71AD4963BCEBE516FD9EE526F2DD1ECB13F10E1424D0D3CED08A19A38D902DA562C9B1D0E308C4B898E30187773F040CF6A437210EFEF52B957623F798E59459
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.s..........." ..0..2..........:Q... ...`....... ..............................I/....`..................................P..O....`...............:...*..........,P..8............................................ ............... ..H............text...@1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................Q......H.......`(...'...........................................................0..M........r...p}.....r...p}.....(......{..... (....(....(......{..... (....(....(....*^~....-.s.........~....*..{....*"..}....*..{....*"..}....*..0..8........(........(.....(.....o....r...p(....o.......&..r...p*.*........--.......0..(.......(.....o........(.....(.......&..r...p*.*.................0..X........o.....[.&......+9...Z.o.... ....(........Z.X.o.... ....(......b`.......X...o.....[2..*.0..V...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.Data.Remote.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):29352
                                                                                                                                                                                                                          Entropy (8bit):6.56368110636982
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:vT6rilChUvVsYQTJMS6V4B6PYikK/Y/+V7:7qSsYOwP7kK/77
                                                                                                                                                                                                                          MD5:1CFBF0CBA3C87653D9639ADA438C3291
                                                                                                                                                                                                                          SHA1:07E36A34319EAD85857CC022E277B69EA132750B
                                                                                                                                                                                                                          SHA-256:3525FCE82E2687D8EFAF992147B196881818856EA9EA851A8DC930751329A8DD
                                                                                                                                                                                                                          SHA-512:E95FC978E889BD62E92975EFD8F39161B6E43FE97451068552E3A71635943F990E4E8697323794D75F77BB12F3DE4E2CFADB5B9D80EF90F1992C82298EBFD00B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.i..........." ..0..@...........^... ...`....... ....................................`.................................:^..O....`...............H...*..........|]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............F..............@..B................n^......H........1...+............................................................{....*:.(......}....*..0..)........u..........,.(.....{.....{....o....*.*.*v .5Q' )UU.Z(.....{....o....X*..0..:........r...p......%..{.......%q.........-.&.+.......o.....(....*..{....*:.(......}....*....0..)........u..........,.(.....{.....{....o....*.*.*v . .q )UU.Z(.....{....o....X*..0..:........r-..p......%..{.......%q.........-.&.+.......o.....(....*..{....*..{....*V.(......}......}....*.0..A.......

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.Data.Remote.dll.config (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):432
                                                                                                                                                                                                                          Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                          MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                          SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                          SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                          SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.Diagnostics.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):19624
                                                                                                                                                                                                                          Entropy (8bit):6.761472837087098
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:pwG3NNuGs7lkviba8FLdwIYieB0FP27NBY3Yuv+4pdS:F+V7PpFLdZYixK/Y/+4S
                                                                                                                                                                                                                          MD5:12A69C58D97C26D0132D493111E42345
                                                                                                                                                                                                                          SHA1:0DCC8570C7D76B660746A0F657607864F8764AD4
                                                                                                                                                                                                                          SHA-256:E6682B67F0C489BEB53C93C399D46CEAEBDD7096AD7DB984BF99DCC68E476F4C
                                                                                                                                                                                                                          SHA-512:3335371222BB282C55F1309432CD776CD146EFA9B6D17BF23997EFA6E3A741512FD95B9382EB719F400C6A70BD13E6A445A6011716B4C7637CF1083C8D669BE6
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............8... ...@....... ...............................P....`.................................j8..O....@..............."...*...`.......7..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................8......H.......L'..`............................................................0..?.........(....}.......}.......}.......}......|......(...+..|....(....*..0..7.........(....}.......}.......}......|......(...+..|....(....*..0../.........(....}.......}......|......(...+..|....(....*..0..7.........(....}.......}.......}......|......(...+..|....(....*6..(...+(....*..(....*..(....*..{..........%..#...(.....%..!...(.....(.....(....*.0..e........{......E....8............(....o ......(!...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.Diagnostics.dll.config (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1192
                                                                                                                                                                                                                          Entropy (8bit):5.059106104983516
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:JduPF7NV+TkH2/17zVVXBOH2/17zVQ7uH2/XVUrPH2/+C9y:327Gwg1BOg1SagXSg+Cw
                                                                                                                                                                                                                          MD5:66373624F8B60F41B8FEC0E61779C0AC
                                                                                                                                                                                                                          SHA1:0D3BE3C009F0A2260F89C3FBC9FFEBA0061C17F2
                                                                                                                                                                                                                          SHA-256:FE0A5830D875B8BD0864BF4F85705D4F2E3D7A575C07B2B5A18041558DBA1386
                                                                                                                                                                                                                          SHA-512:74F084B2697F936122E371042FEF5740BF205914B3FA276F8F7C72561680BF2C39A7DD2970BDEDF36AACC20970CD9552A719211F30090881E498815D91C6CDD0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffc

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.ViewModel.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):124072
                                                                                                                                                                                                                          Entropy (8bit):6.169344446608534
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:LurAkSCDvkOtt+niUnQY8/LFEMnK8VQW5K/7:LJkSCDv+iUnQXLFEEM/7
                                                                                                                                                                                                                          MD5:2DC3102392DAEF9B935CDF4939A9B132
                                                                                                                                                                                                                          SHA1:F56261CE19BFC14F8317C2AA05F010E9ACFBCE02
                                                                                                                                                                                                                          SHA-256:B6D9088505C220F23132D78675004BC31E0FB5C04257357C2B02072EF8C28DAD
                                                                                                                                                                                                                          SHA-512:596AFAA1347CF730D2D0312857366EE3AD4C5C439E2F93BD6D38B29129C7B3530523B206FAEEF1DB3F6D9A18482162FF56321C9F1A1FA4F296F6B29AE8659321
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q............" ..0.................. ........... ....................... ......Q.....`.....................................O........................*..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......d................................................................0...........s....%r...pr...po....%rk..pru..po....%r...pr...po....}......(....(...+o.....(...+o.......o....r!..p.o....(....}......o....}......o....}......o....}.....(....r%..p( ...-..(....re..p( ...,...}....*..}....*..{....*..{....*..{....*..{....*..{....*J.......s!...s:...*.~....%-.&~..........s!...%.....s:...*J.......s"...s#...*J.......s!...s:...*..0..........(...+o$.....E........9...^...*.r...pr...pr..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.ViewModel.dll.config (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):432
                                                                                                                                                                                                                          Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                          MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                          SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                          SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                          SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2059432
                                                                                                                                                                                                                          Entropy (8bit):7.651137710710665
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24576:+3zNmj7tPN/PPINv2lYnvqfI1L3ciKKqjnTVlKJ+hgyiTebWmDXQHMkgXvYOdSYB:84vtPNvCv2Qqfobuvq+hqCTDgHMT
                                                                                                                                                                                                                          MD5:01CF6EF766C41BB2C99A2CCCDECC69C1
                                                                                                                                                                                                                          SHA1:8DD5EB983C1C8F2E3A2538E50295644BB778A69E
                                                                                                                                                                                                                          SHA-256:9A9B95CA40D32FA23A615A122FA3AAF7AEB32FBEF2850D729F77C1169FFC0452
                                                                                                                                                                                                                          SHA-512:9EE4D4D7852555F67CF0C9B372DCA87EC0727AB0A6FC5EAE309CF6BF5467FC75C6868A5E528D34AB605CDC736D30684D35A1451D4ABE3B99BA37D276474AC940
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G............"...0......D........... ... ....@.. ...............................P ...`.................................^...O.... ...A...........B...*..............8............................................ ............... ..H............text........ ...................... ..`.rsrc....A... ...B..................@..@.reloc...............@..............@..B........................H.......DD..T`......-....... v...........................................0..O.......s....%.o....%.o ...%.o!...%..o".....o#........($........(%..._,...o&...(....*.*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...(.......(....(.......(....(.......(....(.....*.0..5........('...-..*.((.....o)...(*...(+...(,.......,..o-.....*............)........(....*2.(/...o0...*..(1...*.(2...*2.(....o3...*..(....o4...&.(.....o5....(.....o5....(....o6...&*2.(....o7

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\FastestVPN.exe.config (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1112
                                                                                                                                                                                                                          Entropy (8bit):5.030466366630491
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:JdArztW1oF7Nv+IcvH2/+GVTcvH2/+GVhOXrRH2/d9y:3Arzcq7h+Iag+GMg+G27Rgdw
                                                                                                                                                                                                                          MD5:B94AE93769D64791440B3C36CC82AC69
                                                                                                                                                                                                                          SHA1:E4AAAD9A0FB51051C8B25F768BC1563543F132C0
                                                                                                                                                                                                                          SHA-256:432BFD182828A531147812566CB3439702A243BB7A4C45CC816192F9CB91D4A5
                                                                                                                                                                                                                          SHA-512:AD978C59980C0194357D5070D53EA77C334493D14593C141B9DBEEF835FC688FD90C99236D687F50860FA7F4FD4125650E432A61EDF7917C77E4EE4E5E3D4E66
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />.. </startup>.. <runtime>.. <legacyCorruptedStateExceptionsPolicy enabled="true" />.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.Expression.Interactions" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.5.0.0" newVersion="4.5.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Windows.Interactivity" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.5.0.0" newVersion="4.5.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Flurl.Http.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):117928
                                                                                                                                                                                                                          Entropy (8bit):6.160360774488817
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:Hzne5lbC/VlCG2OWMMdWWbWbWw+Hfz+8lKbchOD07PQCFP1IYmDe/WAbBuhEK/a:HFO4WMMdWWbWbWw+Hfz+8lKbchOD07PP
                                                                                                                                                                                                                          MD5:FDFDFE021B53B630939D27C6C90CB435
                                                                                                                                                                                                                          SHA1:AA0987A6EA6987BB9930B9167EC31C249EF9D885
                                                                                                                                                                                                                          SHA-256:D753A7EF62BABC2ADB5D1DBEB0BEBAA2B042CC01CC219726F32F761BBB0A711D
                                                                                                                                                                                                                          SHA-512:1FD0C74D0ED3AC4DF26D3E95C0F133E8024D77D1FD06E0C76C630D6AAC7B81124AA1DCA7CFFAC43BC34252A057414F8C3F8EC63A805323B1EF892B5F6A277D3B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8............" ..0................. ........... ..............................U.....`.................................w...O........................*..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.........................................................................{ ...*..{!...*V.(".....} .....}!...*...0..A........u........4.,/(#....{ ....{ ...o$...,.(%....{!....{!...o&...*.*.*. '.(k )UU.Z(#....{ ...o'...X )UU.Z(%....{!...o(...X*...0..b........r...p......%..{ ......%q.........-.&.+.......o)....%..{!......%q.........-.&.+.......o)....(*...*>..su...%.}^...*...0...........(+...,..*...(....o.....8t....o......-2.{,....{-.....g...%..".o.....(/...s0...sk....88....{,...r

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Flurl.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):49320
                                                                                                                                                                                                                          Entropy (8bit):6.325351798150663
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:Qmbo2ICFobV6wsLIcUIh/61jCouvi1Ys7ZYiG6K/Y/+Z:QmbrbU6ws0cGjCoei1Ys7Z7G6K/P
                                                                                                                                                                                                                          MD5:C22900453EF4B917460ADEA7DE87225B
                                                                                                                                                                                                                          SHA1:6878237656DA68C046FB95FAA8CAF3B4C719851B
                                                                                                                                                                                                                          SHA-256:9AF8C8105093B7D62FC578DAE3497FF0AD796C9ABD638EB14269DED4270DFF96
                                                                                                                                                                                                                          SHA-512:2E7D0EB99E2924FB375AAF8891968228193C65C133E362F66567C044E8B744ABC3A992EF7606644690D1BB81AD13A64A35D8107BDBDD9D5942BEA1DD1074EA3C
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ....................................`.................................p...O.......,................*..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........L...\............................................................{"...*..{#...*V.($.....}".....}#...*...0..A........u........4.,/(%....{"....{"...o&...,.('....{#....{#...o(...*.*.*. ?Y.. )UU.Z(%....{"...o)...X )UU.Z('....{#...o*...X*...0..b........r...p......%..{"......%q.........-.&.+.......o+....%..{#......%q.........-.&.+.......o+....(,...*..{-...*..{....*V.($.....}-.....}....*.0..A........u........4.,/(%....{-....{-...o&...,.('....{.....{....o(...*.*.*. (... )UU.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Hardcodet.NotifyIcon.Wpf.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):108200
                                                                                                                                                                                                                          Entropy (8bit):7.332504567097915
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:Gn5VJM3T5szyxa9PuIKb8wmtyYVzH0cfNbQSi/GoP4YNjZ34A7GZK/ZIVQ:GWsEa9GIdyAUKWeYNl34AwK/ZV
                                                                                                                                                                                                                          MD5:261A5044C94F318DEEA20D178ED9F36E
                                                                                                                                                                                                                          SHA1:2A9704F70A543EE219481A3AA756A0CF151E1999
                                                                                                                                                                                                                          SHA-256:D17E9B0C62C224D1BA56E7206D8A44FE382FE99752C511BA211A7725D83FEF43
                                                                                                                                                                                                                          SHA-512:E53C320DBF6B2AAEEC01FE5AFF1FAD5A8D75B2483A78BA0E1B510F2A7A8C5C510ACD603541734F4A002748D0781FC11AFBF6967EBCDB41A6FC9A29C828ABC2A3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.g..........." ..0..p.............. ........... ....................................`.....................................O....................|...*..............p............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............z..............@..B........................H........O..|w..................,.......................................V!.)1......s.........*...0..$........u......,...o....*.u......,...o....*.0..&........u......,....o ...*.u......,....o!...*...0..&........u......,....o"...*.u......,....o#...*B.(Y...-.(....*.*..{!...*"..}!...*>.{....o.......*.0..9........(*.....($.....(......,..o%...-..,..o&...-..,..o%...*.*.*....0...........s'...}.....((....(....-..s....+.(....}......{....o....(....}.....(!....{...........s)...o.....{....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Microsoft.AppCenter.Analytics.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):25976
                                                                                                                                                                                                                          Entropy (8bit):6.331152456306087
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:Z90ljCvGQJ+GlfmER/asDZ0WN1L4meT6pmOW2ZZWeQMWMLHRN7S37EHR9zCt+:Z9EIGk+GlfmERxcFz2ZSCL+7Ex9zS+
                                                                                                                                                                                                                          MD5:3C5DFBB4E3F1AD153EB2E203B56EA0AE
                                                                                                                                                                                                                          SHA1:59623BF1D67D87264C165E421F12426DA998AF46
                                                                                                                                                                                                                          SHA-256:9E8252429D0E6529B87A2C79A13119F4DF56ABE924949F3750B024C51D747378
                                                                                                                                                                                                                          SHA-512:94DF20E98A2E5D7AC93B63EFEBCE4DAAFBF25AB6B4A2B76AF0BB46D9EDE102AC8C8E1147D5813CDB879AADD5A8AA4073FD0E6066286AF4EF4D368FAB983BE3B5
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w............" ..0..4...........S... ...`....... ....................................`..................................S..O....`...............>..x'..........XR..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B.................S......H.......l,..l%...................Q........................................(....*.0..H.........~....,...~....*~..........(......~....%-.&s....%...........,..(......*........#<.......0..%.......~..........(...............,..(.....*....................0..........~..........(....(....o....(...+....,..(......*...........".......0..0.......~..........(....(.....o.....(...+....,..(......*.........$.......0..).......~..........(....(......o.......,..(.....*....................0..b...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Microsoft.AppCenter.Crashes.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):53624
                                                                                                                                                                                                                          Entropy (8bit):6.18841715621451
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:mLtojuUUUbf/l0lwELEEEqi8g15qTLT5HGoV0weeezxSoL3G7Yl9zndG:mE17Iw8/i8gM5maee8SoL13zdG
                                                                                                                                                                                                                          MD5:B7ABAF6A90E95E585E71C0C22D90AF73
                                                                                                                                                                                                                          SHA1:C9756883D1738A9931D0BF58D6F69CBB8DFD5870
                                                                                                                                                                                                                          SHA-256:3BA247FDCC6953B5CC672A361983B7B0AF3051A83128970BCEBAB22036D1E859
                                                                                                                                                                                                                          SHA-512:3A67EF230A06FAE3095926EAD9AAF329009BC0F2ED6AA1E6683C426ADA29DDD9CB77EC3BE134DFC4CD10A1F675D518FB4986363C4FE649D4247770B96DBC7A56
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#2..........." ..0.................. ........... ...............................0....`.....................................O.......................x'..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........E...w..........................................................&...(....*2.r...p(....*V.(......}......}....*..{....*..{....*..{....*..(......}......}......}.......}.......}....*..{....*..{....*..{....*..{....*..{....*...0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Microsoft.AppCenter.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):147848
                                                                                                                                                                                                                          Entropy (8bit):6.032707503792338
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:yiq8kuub1o2/5pds7tUMZNFxtPwVrHlGZ6U1SiWUwBpXtNpTE1MNniv:WFwzFQ9FGZ1SityhtNpTECU
                                                                                                                                                                                                                          MD5:B6DB385295FA78A6AABCF217FD3C3F83
                                                                                                                                                                                                                          SHA1:71E2A93223A6B8204EED6B9834284C0FA1D7EBD0
                                                                                                                                                                                                                          SHA-256:ABF40F07643E6D29D0817021991F9D27410B7DCAEF80980D849634ACEF255BDC
                                                                                                                                                                                                                          SHA-512:122FDB77C0AC6A7A2ECF5519BB059097EF119390E6D3C34F9FAB303D60279EE8649175617E3B6FC2A3D118B422CE8BC1BFFC208332D0A9F012271325AC0A0EE7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@..........." ..0..............1... ...@....... ..............................0b....`.................................71..O....@...................'...`.......0..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................k1......H.......8...d].................../.......................................0..s........r...p(......(....,.r...psK...z.rW..po....-.r[..pro..p(X....*s.....~.....o....o......+8..o....t.........o.....o ...o!.....o.....o ...o!...o".....o#...-.....u........,...o$.....r...po%...,.r[..pr...p(X....*.rS..po%...,.r[..prg..p(X....*~&....~&......o%...,.....o'...&..o%...,.....o'...&.(....,..(....,.r...p.r...p((...sK...z.(....-&.(....-.r...p.r%..p((.....r)..p.((.....*.......U.E........(....*.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Microsoft.AspNet.SignalR.Client.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):149896
                                                                                                                                                                                                                          Entropy (8bit):6.136390335470081
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:PcRKLBm0ELV6Ra+eKBL24YzRk2XDuzEdnp+4WSspmfxPapkwN5RGV5xz/OEYW58R:qI0KRHeKBszRk2aApjsp7pBtZGh9
                                                                                                                                                                                                                          MD5:70B1C15FDBBFB88F91965DC7BBC5527F
                                                                                                                                                                                                                          SHA1:A473571DAC42819933CD7EF0C604F1EA0614D2F3
                                                                                                                                                                                                                          SHA-256:109878A7A6F6BD13637B7E3A2EBC22D37423716ECD4E954CC09BACB84B92F62B
                                                                                                                                                                                                                          SHA-512:C496EE2DDF6C401E9E48FB6D739C44200EBFE36B516E7608CECB3E32FEB620CE1531CC5DE26B1A4CD033C65FD002D6B6315B746CFB8B4D047A2954F6F33CA0A4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5A............" ..0..............;... ...@....... ..............................Ri....`.................................N;..O....@...............&...#...`......X:..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................;......H.......h....Y..........H'.......9........................................(...+*.~....*.~....*.~....*..%-.&(....*..%-.&~ ...*....0..........(!......o"......(7.......*...................0..........(!......o...+...(...+....*....................~$...%-.&~%.....&...s'...%.$....(...+*.0..D.............,:......o(.....,......o(....3.........o)....(....+.....(...+.*.0..9.......s*......}+.....},.....}-................s/... ....(B...&*....0..$........,...r...p......%.....o~......o0...*

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Microsoft.Bcl.AsyncInterfaces.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):26752
                                                                                                                                                                                                                          Entropy (8bit):6.512503595653532
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:DulwnBhYlTVv2wK5idcgF4of1n6K9zUYJ:ywHYFtKYdcg/f1nXzUYJ
                                                                                                                                                                                                                          MD5:970B6E6478AE3AB699F277D77DE0CD19
                                                                                                                                                                                                                          SHA1:5475CB28998D419B4714343FFA9511FF46322AC2
                                                                                                                                                                                                                          SHA-256:5DC372A10F345B1F00EC6A8FA1A2CE569F7E5D63E4F1F8631BE367E46BFA34F4
                                                                                                                                                                                                                          SHA-512:F3AD2088C5D3FCB770C6D8212650EED95507E107A34F9468CA9DB99DEFD8838443A95E0B59A5A6CB65A18EBBC529110C5348513A321B44223F537096C6D7D6E0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$:............" ..0..4...........S... ...`....... ....................................`..................................S..O....`...............@...(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............>..............@..B.................S......H........'..P*..................,R........................................(....*..(....*^.(.......1...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(.......2...%...}....*:.(......}....*..{....*z.(......}.......2...%...}....*V.(......}......}....*..{....*..{....*:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Microsoft.Extensions.DependencyInjection.Abstractions.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):48256
                                                                                                                                                                                                                          Entropy (8bit):6.234996524588368
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:AMWC5N7mKWPKz4VJ4e0jeuTGlBh0JzqPPxofk3l9z2I:Y67hCfV8j3TGlB+JsafkHzP
                                                                                                                                                                                                                          MD5:37EB7CCE6E282D3572D64C880E1AC3C8
                                                                                                                                                                                                                          SHA1:9A2952589A19D650932E7C633577EB9AFC04F959
                                                                                                                                                                                                                          SHA-256:039155F155C5D14F5B73F4EE2CD1FBD9290F391B88A1D2A0BA815569205EDB74
                                                                                                                                                                                                                          SHA-512:E3C2EF1CC52E3AA5BD77B74DEC93A4FC9E908DF823426F13CA304265D41605DE51970CC8C7E18C2E76319D3225707B2EA2D8613402A25C4FBD3951E70FCFD521
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....v..........." ..0.................. ........... ....................................`.....................................O........................(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........=..da..........0.................................................(....*..(....*^.(.......>...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Microsoft.Extensions.DependencyInjection.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):88192
                                                                                                                                                                                                                          Entropy (8bit):6.25584016939133
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:0kUuBN7CjSkp9oa++t1BVryVKXDORdDeCNia6Lj4Fu/qSGnJdo0Wzs:ju/t/VryVKXeDezVLj4F/JdWQ
                                                                                                                                                                                                                          MD5:4186A905DC180A0CC2110403727BD792
                                                                                                                                                                                                                          SHA1:E0563D20CA7E95688A60F4BFC1AB0127EAE1F651
                                                                                                                                                                                                                          SHA-256:40DCB80A87A762745D0A15294B5CA7783A9EAD1D93AD352D25B5EDAF4994651E
                                                                                                                                                                                                                          SHA-512:1C3459232B41C531F01BCCE54E46799F2FB3FCD6C87D7F908C633ABCC718D9726D98E65F964B1A870D416A38F545971779054FE65F7C1299905FC7DC24FA2DEC
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&..........>E... ...`....... ....................................`..................................D..O....`...............0...(...........C..T............................................ ............... ..H............text...D%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H........l..@...........02..0...`C........................................(....*..(....*^.(.......k...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Newtonsoft.Json.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):711952
                                                                                                                                                                                                                          Entropy (8bit):5.967185619483575
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
                                                                                                                                                                                                                          MD5:195FFB7167DB3219B217C4FD439EEDD6
                                                                                                                                                                                                                          SHA1:1E76E6099570EDE620B76ED47CF8D03A936D49F8
                                                                                                                                                                                                                          SHA-256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
                                                                                                                                                                                                                          SHA-512:56EB7F070929B239642DAB729537DDE2C2287BDB852AD9E80B5358C74B14BC2B2DDED910D0E3B6304EA27EB587E5F19DB0A92E1CBAE6A70FB20B4EF05057E4AC
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O......................../.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\ComDebug.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):256912
                                                                                                                                                                                                                          Entropy (8bit):6.232383775712062
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:WEq38uejOBA0ItZ1PNWPQqLlXXXXVXDBsXdZC/R0EjW0VnXNvdroJ:/q0jOBARWPRLlXXXXVXSXdZk0EjW0VnM
                                                                                                                                                                                                                          MD5:850A43E323656B86AE665D8B4FD71369
                                                                                                                                                                                                                          SHA1:099D6E80C394CCC5233E1CBD6B29769DA9E0E2AA
                                                                                                                                                                                                                          SHA-256:539423D2E436E198DF15B5577D816DC306BA4C03B1362F7731E675B51F4A5F42
                                                                                                                                                                                                                          SHA-512:1F2778040E906EA2939A8B0A682E267599AA8422F81EA83BB6C980A304B569AD750EF3E81E1490EDD5B1D74E734A2CB82F428F47096C55436037E03E516D2378
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3...3...3......6..........u..9....u..#....u..`......"......;......1... r..$...3...... r..:... r&.2...3.N.2... r..2...Rich3...........PE..d.....wf.........."....(.Z.....................@.............................0......#.....`.................................................Tq..T....... ........%........... .......#.......................%..(...`"..@............p.. ............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data....0...........v..............@....pdata...%.......&..................@..@.rsrc... ...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\Setup.Ps1 (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):359
                                                                                                                                                                                                                          Entropy (8bit):5.09733291062762
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:i4Z2TyUdkl9WUyUdkwc1+XMoHkyUdk3LASg0TqeXMFXA98XfFZ/FvjCzISMOmEm:jZELklIULktkXxELk35q0MhA98vFZ/FV
                                                                                                                                                                                                                          MD5:777B3CBF81DDD8B238BDEDDDEA17AFED
                                                                                                                                                                                                                          SHA1:C72F46715DCBC9BDA1E2BEEAC8AF2A64E7B48D08
                                                                                                                                                                                                                          SHA-256:DACE14B4A5268728E67A9E78D8F0877F4C87F6B87DDD40DFF28A11E9E42945CF
                                                                                                                                                                                                                          SHA-512:5C6D302F93381EBF65ADD3DAA0EB4813270C5D9A042AD9B8A48A575ADC4E751D3834292BB61AEF6A5458036AE6E3C83C8EDFAE5CF828D81317ACAE6675B8E619
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))..{ ..$arguments = "& '" + $myinvocation.mycommand.definition + "'"..Start-Process powershell -Verb runAs -ArgumentList $arguments..Break..}.. Set-NetConnectionProfile -NetworkCategory Private

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\data\ca1.ca (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PEM certificate
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1912
                                                                                                                                                                                                                          Entropy (8bit):6.013187457463572
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:48:LrZOGn3n3+NKHqtdSLuARqhs9WWRR21mB4LearXRvW:Lrz3nnYhhfwc1eCearhvW
                                                                                                                                                                                                                          MD5:94F25D41487F654EF2371FA92544003C
                                                                                                                                                                                                                          SHA1:41A561AA773A21C240F74AF4F14DB7FB2479F630
                                                                                                                                                                                                                          SHA-256:E6A1EEFBCA63DDCE20065B080C202BF63686F473B91F2C64461434AFD071018C
                                                                                                                                                                                                                          SHA-512:281DCBF7852E3B81B3E09A889045C2B4357F684B4F511835A874BC98DEC7D4A77AD1EC1C0FE1D55D9616670278715FBFE9772F2518C3861933F6C392B6A939A4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:-----BEGIN CERTIFICATE-----..MIIFQjCCAyqgAwIBAgIIUfxepT+rr8owDQYJKoZIhvcNAQEMBQAwPzELMAkGA1UE..BhMCS1kxEzARBgNVBAoTCkZhc3Rlc3RWUE4xGzAZBgNVBAMTEkZhc3Rlc3RWUE4g..Um9vdCBDQTAeFw0xNzA5MTYwMDAxNDZaFw0yNzA5MTQwMDAxNDZaMD8xCzAJBgNV..BAYTAktZMRMwEQYDVQQKEwpGYXN0ZXN0VlBOMRswGQYDVQQDExJGYXN0ZXN0VlBO..IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC1Xj+WfPTo..zFynFqc+c3CVrggIllaXEl5bY5VgFynXkqCTM6lSrfC4pNjGXUbqWe6RnGJbM4/6..kUn+lQDjFSQV1rzP2eDS8+r5+X2WXh4AoeNRUWhvSG+HiHD/B2EFK+Nd5BRSdUjp..KWAtsCmT2bBt7nT0jN1OdeNrLJeyF8siAqv/oQzKznF9aIe/N01b2M8ZOFTzoXi2..fZAckgGWui8NB/lzkVIJqSkAPRL8qiJLuRCPVOX1PFD8vV//R8/QumtfbcYBMo6v..Ck2HmWdrh5OQHPxb3KJtbtG+Z1j8x6HGEAe17djYepBiRMyCEQvYgfD6tvFylc4I..quhqE9yaP60PJod5TxpWnRQ6HIGSeBm+S+rYSMalTZ8+pUqOOA+IQCYpfpx6EKIJ..L/VsW2C7cXdvudxDhXPI5lR/QidCb9Ohq3WkfxXaYwzrngdg2avmNqId9R4KESuM..9GoHW0dszfyBCh5wYfeaffMElfDam3B92NUwyhZwtIiv623WVXY9PPz+EDjSJsIA..u2Vi1vdJyA4nD4k9Lwmx/1zTc/UaYVLsiBqL2WdfvFTeoWoV+dNxQXSEPhB8gwi8..x4O4lZW0cwVy/6fa8KMY8gZbcbSTr7U5bRERfW8l+jY+mYK

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\data\ca2.ca (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PEM certificate
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1912
                                                                                                                                                                                                                          Entropy (8bit):6.013187457463572
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:48:LrZOGn3n3+NKHqtdSLuARqhs9WWRR21mB4LearXRvW:Lrz3nnYhhfwc1eCearhvW
                                                                                                                                                                                                                          MD5:94F25D41487F654EF2371FA92544003C
                                                                                                                                                                                                                          SHA1:41A561AA773A21C240F74AF4F14DB7FB2479F630
                                                                                                                                                                                                                          SHA-256:E6A1EEFBCA63DDCE20065B080C202BF63686F473B91F2C64461434AFD071018C
                                                                                                                                                                                                                          SHA-512:281DCBF7852E3B81B3E09A889045C2B4357F684B4F511835A874BC98DEC7D4A77AD1EC1C0FE1D55D9616670278715FBFE9772F2518C3861933F6C392B6A939A4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:-----BEGIN CERTIFICATE-----..MIIFQjCCAyqgAwIBAgIIUfxepT+rr8owDQYJKoZIhvcNAQEMBQAwPzELMAkGA1UE..BhMCS1kxEzARBgNVBAoTCkZhc3Rlc3RWUE4xGzAZBgNVBAMTEkZhc3Rlc3RWUE4g..Um9vdCBDQTAeFw0xNzA5MTYwMDAxNDZaFw0yNzA5MTQwMDAxNDZaMD8xCzAJBgNV..BAYTAktZMRMwEQYDVQQKEwpGYXN0ZXN0VlBOMRswGQYDVQQDExJGYXN0ZXN0VlBO..IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC1Xj+WfPTo..zFynFqc+c3CVrggIllaXEl5bY5VgFynXkqCTM6lSrfC4pNjGXUbqWe6RnGJbM4/6..kUn+lQDjFSQV1rzP2eDS8+r5+X2WXh4AoeNRUWhvSG+HiHD/B2EFK+Nd5BRSdUjp..KWAtsCmT2bBt7nT0jN1OdeNrLJeyF8siAqv/oQzKznF9aIe/N01b2M8ZOFTzoXi2..fZAckgGWui8NB/lzkVIJqSkAPRL8qiJLuRCPVOX1PFD8vV//R8/QumtfbcYBMo6v..Ck2HmWdrh5OQHPxb3KJtbtG+Z1j8x6HGEAe17djYepBiRMyCEQvYgfD6tvFylc4I..quhqE9yaP60PJod5TxpWnRQ6HIGSeBm+S+rYSMalTZ8+pUqOOA+IQCYpfpx6EKIJ..L/VsW2C7cXdvudxDhXPI5lR/QidCb9Ohq3WkfxXaYwzrngdg2avmNqId9R4KESuM..9GoHW0dszfyBCh5wYfeaffMElfDam3B92NUwyhZwtIiv623WVXY9PPz+EDjSJsIA..u2Vi1vdJyA4nD4k9Lwmx/1zTc/UaYVLsiBqL2WdfvFTeoWoV+dNxQXSEPhB8gwi8..x4O4lZW0cwVy/6fa8KMY8gZbcbSTr7U5bRERfW8l+jY+mYK

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\data\is-0H0F8.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PEM certificate
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1912
                                                                                                                                                                                                                          Entropy (8bit):6.013187457463572
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:48:LrZOGn3n3+NKHqtdSLuARqhs9WWRR21mB4LearXRvW:Lrz3nnYhhfwc1eCearhvW
                                                                                                                                                                                                                          MD5:94F25D41487F654EF2371FA92544003C
                                                                                                                                                                                                                          SHA1:41A561AA773A21C240F74AF4F14DB7FB2479F630
                                                                                                                                                                                                                          SHA-256:E6A1EEFBCA63DDCE20065B080C202BF63686F473B91F2C64461434AFD071018C
                                                                                                                                                                                                                          SHA-512:281DCBF7852E3B81B3E09A889045C2B4357F684B4F511835A874BC98DEC7D4A77AD1EC1C0FE1D55D9616670278715FBFE9772F2518C3861933F6C392B6A939A4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:-----BEGIN CERTIFICATE-----..MIIFQjCCAyqgAwIBAgIIUfxepT+rr8owDQYJKoZIhvcNAQEMBQAwPzELMAkGA1UE..BhMCS1kxEzARBgNVBAoTCkZhc3Rlc3RWUE4xGzAZBgNVBAMTEkZhc3Rlc3RWUE4g..Um9vdCBDQTAeFw0xNzA5MTYwMDAxNDZaFw0yNzA5MTQwMDAxNDZaMD8xCzAJBgNV..BAYTAktZMRMwEQYDVQQKEwpGYXN0ZXN0VlBOMRswGQYDVQQDExJGYXN0ZXN0VlBO..IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC1Xj+WfPTo..zFynFqc+c3CVrggIllaXEl5bY5VgFynXkqCTM6lSrfC4pNjGXUbqWe6RnGJbM4/6..kUn+lQDjFSQV1rzP2eDS8+r5+X2WXh4AoeNRUWhvSG+HiHD/B2EFK+Nd5BRSdUjp..KWAtsCmT2bBt7nT0jN1OdeNrLJeyF8siAqv/oQzKznF9aIe/N01b2M8ZOFTzoXi2..fZAckgGWui8NB/lzkVIJqSkAPRL8qiJLuRCPVOX1PFD8vV//R8/QumtfbcYBMo6v..Ck2HmWdrh5OQHPxb3KJtbtG+Z1j8x6HGEAe17djYepBiRMyCEQvYgfD6tvFylc4I..quhqE9yaP60PJod5TxpWnRQ6HIGSeBm+S+rYSMalTZ8+pUqOOA+IQCYpfpx6EKIJ..L/VsW2C7cXdvudxDhXPI5lR/QidCb9Ohq3WkfxXaYwzrngdg2avmNqId9R4KESuM..9GoHW0dszfyBCh5wYfeaffMElfDam3B92NUwyhZwtIiv623WVXY9PPz+EDjSJsIA..u2Vi1vdJyA4nD4k9Lwmx/1zTc/UaYVLsiBqL2WdfvFTeoWoV+dNxQXSEPhB8gwi8..x4O4lZW0cwVy/6fa8KMY8gZbcbSTr7U5bRERfW8l+jY+mYK

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\data\is-ADGAV.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PEM certificate
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1912
                                                                                                                                                                                                                          Entropy (8bit):6.013187457463572
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:48:LrZOGn3n3+NKHqtdSLuARqhs9WWRR21mB4LearXRvW:Lrz3nnYhhfwc1eCearhvW
                                                                                                                                                                                                                          MD5:94F25D41487F654EF2371FA92544003C
                                                                                                                                                                                                                          SHA1:41A561AA773A21C240F74AF4F14DB7FB2479F630
                                                                                                                                                                                                                          SHA-256:E6A1EEFBCA63DDCE20065B080C202BF63686F473B91F2C64461434AFD071018C
                                                                                                                                                                                                                          SHA-512:281DCBF7852E3B81B3E09A889045C2B4357F684B4F511835A874BC98DEC7D4A77AD1EC1C0FE1D55D9616670278715FBFE9772F2518C3861933F6C392B6A939A4
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:-----BEGIN CERTIFICATE-----..MIIFQjCCAyqgAwIBAgIIUfxepT+rr8owDQYJKoZIhvcNAQEMBQAwPzELMAkGA1UE..BhMCS1kxEzARBgNVBAoTCkZhc3Rlc3RWUE4xGzAZBgNVBAMTEkZhc3Rlc3RWUE4g..Um9vdCBDQTAeFw0xNzA5MTYwMDAxNDZaFw0yNzA5MTQwMDAxNDZaMD8xCzAJBgNV..BAYTAktZMRMwEQYDVQQKEwpGYXN0ZXN0VlBOMRswGQYDVQQDExJGYXN0ZXN0VlBO..IFJvb3QgQ0EwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQC1Xj+WfPTo..zFynFqc+c3CVrggIllaXEl5bY5VgFynXkqCTM6lSrfC4pNjGXUbqWe6RnGJbM4/6..kUn+lQDjFSQV1rzP2eDS8+r5+X2WXh4AoeNRUWhvSG+HiHD/B2EFK+Nd5BRSdUjp..KWAtsCmT2bBt7nT0jN1OdeNrLJeyF8siAqv/oQzKznF9aIe/N01b2M8ZOFTzoXi2..fZAckgGWui8NB/lzkVIJqSkAPRL8qiJLuRCPVOX1PFD8vV//R8/QumtfbcYBMo6v..Ck2HmWdrh5OQHPxb3KJtbtG+Z1j8x6HGEAe17djYepBiRMyCEQvYgfD6tvFylc4I..quhqE9yaP60PJod5TxpWnRQ6HIGSeBm+S+rYSMalTZ8+pUqOOA+IQCYpfpx6EKIJ..L/VsW2C7cXdvudxDhXPI5lR/QidCb9Ohq3WkfxXaYwzrngdg2avmNqId9R4KESuM..9GoHW0dszfyBCh5wYfeaffMElfDam3B92NUwyhZwtIiv623WVXY9PPz+EDjSJsIA..u2Vi1vdJyA4nD4k9Lwmx/1zTc/UaYVLsiBqL2WdfvFTeoWoV+dNxQXSEPhB8gwi8..x4O4lZW0cwVy/6fa8KMY8gZbcbSTr7U5bRERfW8l+jY+mYK

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\data\is-ARL0G.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):618
                                                                                                                                                                                                                          Entropy (8bit):4.532694766524299
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:LrkTt/+xYnhEKMhS64Ar24EgJroQXj2OrcV7TdRwPXYGFc6895C1v:LrkTtcYnhEKoP4AK4EgJkCj2OrnoGFFx
                                                                                                                                                                                                                          MD5:005BF2A1B29FB74EF9ED7402A69D5CD5
                                                                                                                                                                                                                          SHA1:ADEFC73E4B4F34F304E78FD4DB2D3B6AD09C6AF7
                                                                                                                                                                                                                          SHA-256:F7FE79400908B148EB8E8AF16B0F1AFDF7CBCD33DCE23F96177473D0BF11DAFF
                                                                                                                                                                                                                          SHA-512:381CA1E2146A66D1ACC46F7E9F9081962BB96014C10EB5AA0AE60478B8DD902F1975D63AEE18675B95A71D90594338753D8C91CD21ED0939237562E61D0D3D69
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:-----BEGIN OpenVPN Static key V1-----..697fe793b32cb5091d30f2326d5d124a..9412e93d0a44ef7361395d76528fcbfc..82c3859dccea70a93cfa8fae409709bf..f75f844cf5ff0c237f426d0c20969233..db0e706edb6bdf195ec3dc11b3f76bc8..07a77e74662d9a800c8cd1144ebb67b7..f0d3f1281d1baf522bfe03b7c3f963b1..364fc0769400e413b61ca7b43ab19fac..9e0f77e41efd4bda7fd77b1de2d7d785..5cbbe3e620cecceac72c21a825b243e6..51f44d90e290e09c3ad650de8fca99c8..58bc7caad584bc69b11e5c9fd9381c69..c505ec487a65912c672d83ed0113b5a7..4ddfbd3ab33b3683cec593557520a72c..4d6cce46111f56f3396cc3ce7183edce..553c68ea0796cf6c4375fad00aaa2a42..-----END OpenVPN Static key V1-----

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\data\is-H10ET.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):618
                                                                                                                                                                                                                          Entropy (8bit):4.532694766524299
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:LrkTt/+xYnhEKMhS64Ar24EgJroQXj2OrcV7TdRwPXYGFc6895C1v:LrkTtcYnhEKoP4AK4EgJkCj2OrnoGFFx
                                                                                                                                                                                                                          MD5:005BF2A1B29FB74EF9ED7402A69D5CD5
                                                                                                                                                                                                                          SHA1:ADEFC73E4B4F34F304E78FD4DB2D3B6AD09C6AF7
                                                                                                                                                                                                                          SHA-256:F7FE79400908B148EB8E8AF16B0F1AFDF7CBCD33DCE23F96177473D0BF11DAFF
                                                                                                                                                                                                                          SHA-512:381CA1E2146A66D1ACC46F7E9F9081962BB96014C10EB5AA0AE60478B8DD902F1975D63AEE18675B95A71D90594338753D8C91CD21ED0939237562E61D0D3D69
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:-----BEGIN OpenVPN Static key V1-----..697fe793b32cb5091d30f2326d5d124a..9412e93d0a44ef7361395d76528fcbfc..82c3859dccea70a93cfa8fae409709bf..f75f844cf5ff0c237f426d0c20969233..db0e706edb6bdf195ec3dc11b3f76bc8..07a77e74662d9a800c8cd1144ebb67b7..f0d3f1281d1baf522bfe03b7c3f963b1..364fc0769400e413b61ca7b43ab19fac..9e0f77e41efd4bda7fd77b1de2d7d785..5cbbe3e620cecceac72c21a825b243e6..51f44d90e290e09c3ad650de8fca99c8..58bc7caad584bc69b11e5c9fd9381c69..c505ec487a65912c672d83ed0113b5a7..4ddfbd3ab33b3683cec593557520a72c..4d6cce46111f56f3396cc3ce7183edce..553c68ea0796cf6c4375fad00aaa2a42..-----END OpenVPN Static key V1-----

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\data\tcp.tls (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):618
                                                                                                                                                                                                                          Entropy (8bit):4.532694766524299
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:LrkTt/+xYnhEKMhS64Ar24EgJroQXj2OrcV7TdRwPXYGFc6895C1v:LrkTtcYnhEKoP4AK4EgJkCj2OrnoGFFx
                                                                                                                                                                                                                          MD5:005BF2A1B29FB74EF9ED7402A69D5CD5
                                                                                                                                                                                                                          SHA1:ADEFC73E4B4F34F304E78FD4DB2D3B6AD09C6AF7
                                                                                                                                                                                                                          SHA-256:F7FE79400908B148EB8E8AF16B0F1AFDF7CBCD33DCE23F96177473D0BF11DAFF
                                                                                                                                                                                                                          SHA-512:381CA1E2146A66D1ACC46F7E9F9081962BB96014C10EB5AA0AE60478B8DD902F1975D63AEE18675B95A71D90594338753D8C91CD21ED0939237562E61D0D3D69
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:-----BEGIN OpenVPN Static key V1-----..697fe793b32cb5091d30f2326d5d124a..9412e93d0a44ef7361395d76528fcbfc..82c3859dccea70a93cfa8fae409709bf..f75f844cf5ff0c237f426d0c20969233..db0e706edb6bdf195ec3dc11b3f76bc8..07a77e74662d9a800c8cd1144ebb67b7..f0d3f1281d1baf522bfe03b7c3f963b1..364fc0769400e413b61ca7b43ab19fac..9e0f77e41efd4bda7fd77b1de2d7d785..5cbbe3e620cecceac72c21a825b243e6..51f44d90e290e09c3ad650de8fca99c8..58bc7caad584bc69b11e5c9fd9381c69..c505ec487a65912c672d83ed0113b5a7..4ddfbd3ab33b3683cec593557520a72c..4d6cce46111f56f3396cc3ce7183edce..553c68ea0796cf6c4375fad00aaa2a42..-----END OpenVPN Static key V1-----

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\data\udp.tls (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):618
                                                                                                                                                                                                                          Entropy (8bit):4.532694766524299
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:LrkTt/+xYnhEKMhS64Ar24EgJroQXj2OrcV7TdRwPXYGFc6895C1v:LrkTtcYnhEKoP4AK4EgJkCj2OrnoGFFx
                                                                                                                                                                                                                          MD5:005BF2A1B29FB74EF9ED7402A69D5CD5
                                                                                                                                                                                                                          SHA1:ADEFC73E4B4F34F304E78FD4DB2D3B6AD09C6AF7
                                                                                                                                                                                                                          SHA-256:F7FE79400908B148EB8E8AF16B0F1AFDF7CBCD33DCE23F96177473D0BF11DAFF
                                                                                                                                                                                                                          SHA-512:381CA1E2146A66D1ACC46F7E9F9081962BB96014C10EB5AA0AE60478B8DD902F1975D63AEE18675B95A71D90594338753D8C91CD21ED0939237562E61D0D3D69
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:-----BEGIN OpenVPN Static key V1-----..697fe793b32cb5091d30f2326d5d124a..9412e93d0a44ef7361395d76528fcbfc..82c3859dccea70a93cfa8fae409709bf..f75f844cf5ff0c237f426d0c20969233..db0e706edb6bdf195ec3dc11b3f76bc8..07a77e74662d9a800c8cd1144ebb67b7..f0d3f1281d1baf522bfe03b7c3f963b1..364fc0769400e413b61ca7b43ab19fac..9e0f77e41efd4bda7fd77b1de2d7d785..5cbbe3e620cecceac72c21a825b243e6..51f44d90e290e09c3ad650de8fca99c8..58bc7caad584bc69b11e5c9fd9381c69..c505ec487a65912c672d83ed0113b5a7..4ddfbd3ab33b3683cec593557520a72c..4d6cce46111f56f3396cc3ce7183edce..553c68ea0796cf6c4375fad00aaa2a42..-----END OpenVPN Static key V1-----

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\desktop_drop_plugin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):321936
                                                                                                                                                                                                                          Entropy (8bit):6.249416182192696
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:49C2dRHqGR0N9BdVLATWWFQEDyhNSDEAIjUoMfqC9ulMdUBIKL:Z2dRHqGRyhAT9FxoSIAIx/C9ulMe2KL
                                                                                                                                                                                                                          MD5:5C1752EF16C7E3B28D9662E3C08FB08F
                                                                                                                                                                                                                          SHA1:4B3F3BE508D4C6CD8374FBB812EE30E99F8128C0
                                                                                                                                                                                                                          SHA-256:1BF45DF354D53D400EAF644E205DADDB0C07B408EB0C03D8CCFF765BD6659FB3
                                                                                                                                                                                                                          SHA-512:296F8AA642527C3A2364B9FA0E1C9F3EE3B7AD6F82D51685F71601F4E4A0E5DA5327FF1E1884F6264E7961417D54028B4E9BBE1B836968FF0F9D6685EBEE0327
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z.H.;...;...;..6K...;..6K..q;.......;.......;.......;..6K...;..6K...;...G...;...;...;.......;.......;....p..;.......;..Rich.;..........................PE..d...O.wf.........." ...(.*...........0....................................... ......h1....`..........................................t..t...Du..x................-..............................................(.......@............@...............................text...,(.......*.................. ..`.rdata..rC...@...D..................@..@.data...x7....... ...r..............@....pdata...-..........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\desktop_multi_window_plugin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):397712
                                                                                                                                                                                                                          Entropy (8bit):6.40156340476818
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:ThaEhq4cY0f8IlE6BZR2nUx9lYOUgLZUrd:T4EhqR5lE6xSUx9lYOUg6rd
                                                                                                                                                                                                                          MD5:42C063882FD7CEDD3CC62356450D8987
                                                                                                                                                                                                                          SHA1:A09DB77F70A6F7D7C59418FC08250A8E13E8A60D
                                                                                                                                                                                                                          SHA-256:37D1EBFC8F423BF02DEC598C6421E4124C8C5666C27782180D84003039E88DFF
                                                                                                                                                                                                                          SHA-512:77AC9C670F91059B2CAA12DA9B5417CD71D525F900B7DDA51FFCF499AA2882734B342F6803814C6FDE1B527C9742ED9CF67AB1EE8D141CB437B57C979D89B456
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q{.?...l...l...l.j.m...l.j.m...l.j.m...l..m...l..m...l..mY..l.j.m...l.f.m...l...m...l...l...l...m...l...m...l..zl...l...l...l...m...lRich...l........PE..d...j.wf.........." ...(.....L......l........................................0......E.....`..........................................*......x+..........h[.......3........... ..`...............................(...p...@............................................text...|........................... ..`.rdata...o.......p..................@..@.data....?...@...(...2..............@....pdata...3.......4...Z..............@..@.rsrc...h[.......\..................@..@.reloc..`.... ......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\devcon.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):93832
                                                                                                                                                                                                                          Entropy (8bit):5.48517352660103
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:kP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7WGHK/CT:kePOYe4bu1epDh8RWGHK/M
                                                                                                                                                                                                                          MD5:A2ADF4897942B99FE0738F8C37FD15C0
                                                                                                                                                                                                                          SHA1:4192A2221F5C48A16427BF1898C0443CA27A29BB
                                                                                                                                                                                                                          SHA-256:B339B9A93A93B52F3EA0A5F2161E4B16BDA0CA7396D53ECA14C7D7F3E963A3A3
                                                                                                                                                                                                                          SHA-512:DF383B4B70C980C613F3C3EC4E99980DA6DB15F123D617197B644314233D1E2ADEC9F9162D6DBB7B874D885119082E01840102F0976F3CC767A78B5E467EF4A8
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......r.....@.......... ......................................X}..........p.......T....@.......`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\install_tap.bat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):316
                                                                                                                                                                                                                          Entropy (8bit):5.3985610361996965
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:kCaFvHBvyXOBS7WFNiKGWxtfGT26BuXFoAyzyFEQRFQ1jt0V09:k9vBv5Y7WCKGWXOT7/+iQjOh0W
                                                                                                                                                                                                                          MD5:259CE13E63C08F5198A5D7337DCCC0C0
                                                                                                                                                                                                                          SHA1:E25C50EFBC8AF1D70BB42C72CB0D0246EBF6BCBC
                                                                                                                                                                                                                          SHA-256:CE97CB0477C8F8F626A50B6935EB817062EC69136443E1F62691700CBC0D4456
                                                                                                                                                                                                                          SHA-512:AD5319E8941E90D9C2FA60AD18B8061CAC31D0EE39DFDC1494E1A2B0A1F57AB661F034E6D60D8421FE07FB395B4FAF4F72B1C3C6E9459277A13961FC5EDB2CCC
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo OFF..@cd /d %~dp0..set OS=windows;....reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && set ARCH=i386 || set ARCH=amd64....for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j..if "%version%" == "10.0" set OS=windows10......call %OS%\%ARCH%\install_tap.bat

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\is-AOAIR.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):302
                                                                                                                                                                                                                          Entropy (8bit):5.3909078265911585
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:6vyXOBS7WFNiKGWxtfGT26BuXFoAyzyFEQRFQ1OoKG9:6v5Y7WCKGWXOT7/+iQjOOo1
                                                                                                                                                                                                                          MD5:6D857A141F9C245E6ACD7012120A0704
                                                                                                                                                                                                                          SHA1:66666950BDB2486C58B1C2D11132A98BF3A54EA8
                                                                                                                                                                                                                          SHA-256:992D1891016B4C45BACB4DB700195096F438BB10070484D63088F52E8063EEF7
                                                                                                                                                                                                                          SHA-512:8ACE3FA96B4FDA7B036A12EBF8DFC3E8C1FFCF212ED8F2A60FEB64806C26AABF926FF3D02D656EECE10B6F760F846E4196A9116FFF83BC00408697F7C3EEE180
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo OFF..set OS=windows;....reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && set ARCH=i386 || set ARCH=amd64....for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j..if "%version%" == "10.0" set OS=windows10....call %OS%\%ARCH%\uninstall_tap.bat

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\is-CHAOM.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):316
                                                                                                                                                                                                                          Entropy (8bit):5.3985610361996965
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:kCaFvHBvyXOBS7WFNiKGWxtfGT26BuXFoAyzyFEQRFQ1jt0V09:k9vBv5Y7WCKGWXOT7/+iQjOh0W
                                                                                                                                                                                                                          MD5:259CE13E63C08F5198A5D7337DCCC0C0
                                                                                                                                                                                                                          SHA1:E25C50EFBC8AF1D70BB42C72CB0D0246EBF6BCBC
                                                                                                                                                                                                                          SHA-256:CE97CB0477C8F8F626A50B6935EB817062EC69136443E1F62691700CBC0D4456
                                                                                                                                                                                                                          SHA-512:AD5319E8941E90D9C2FA60AD18B8061CAC31D0EE39DFDC1494E1A2B0A1F57AB661F034E6D60D8421FE07FB395B4FAF4F72B1C3C6E9459277A13961FC5EDB2CCC
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo OFF..@cd /d %~dp0..set OS=windows;....reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && set ARCH=i386 || set ARCH=amd64....for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j..if "%version%" == "10.0" set OS=windows10......call %OS%\%ARCH%\install_tap.bat

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\uninstall_tap.bat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):302
                                                                                                                                                                                                                          Entropy (8bit):5.3909078265911585
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:6vyXOBS7WFNiKGWxtfGT26BuXFoAyzyFEQRFQ1OoKG9:6v5Y7WCKGWXOT7/+iQjOOo1
                                                                                                                                                                                                                          MD5:6D857A141F9C245E6ACD7012120A0704
                                                                                                                                                                                                                          SHA1:66666950BDB2486C58B1C2D11132A98BF3A54EA8
                                                                                                                                                                                                                          SHA-256:992D1891016B4C45BACB4DB700195096F438BB10070484D63088F52E8063EEF7
                                                                                                                                                                                                                          SHA-512:8ACE3FA96B4FDA7B036A12EBF8DFC3E8C1FFCF212ED8F2A60FEB64806C26AABF926FF3D02D656EECE10B6F760F846E4196A9116FFF83BC00408697F7C3EEE180
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo OFF..set OS=windows;....reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && set ARCH=i386 || set ARCH=amd64....for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j..if "%version%" == "10.0" set OS=windows10....call %OS%\%ARCH%\uninstall_tap.bat

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\OemVista.inf (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7537
                                                                                                                                                                                                                          Entropy (8bit):5.046488463217706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlQd22bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGMdkxzo3DcNSj6jvKFkinuEQTXvzq
                                                                                                                                                                                                                          MD5:50D29CA2E3DDB8A696923420EC2AC4FA
                                                                                                                                                                                                                          SHA1:D85F4E65FE10F13DED1780DDBD074EDFC75F2D25
                                                                                                                                                                                                                          SHA-256:817DFF7F4944A255A0A33B8D74EB60A755D8D268CC7AFD46FCE41E102E0A004B
                                                                                                                                                                                                                          SHA-512:03778A9CDDD23639C88E24BB5D0446DA3A400BB6B3321FB35887CD23D88D0F7AD3FE911642CC7F8D16D29CD9E42106851B0028379E8DBCB3C6721C238FC4A0D3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\install_tap.bat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):228
                                                                                                                                                                                                                          Entropy (8bit):4.832057381123706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:hiPFvPuaYkVVkZ0BNLllYYLV3GZ0Q/RLQ8NGN8BP:E9HuaYcyZcNLllYbZh/a8NGNc
                                                                                                                                                                                                                          MD5:939DFFC36D36E4C85EE6703C812987E5
                                                                                                                                                                                                                          SHA1:3BA5F451B1F5C269B4F51E847DA79A3C619CB9C9
                                                                                                                                                                                                                          SHA-256:843C2DFB5FE8DFE7C5266F8F79D1E0AC0BA3E40D5C883D4AF879B6F273B7499E
                                                                                                                                                                                                                          SHA-512:8958432897981533C2822AC7355D56FC490EB89157423FAA5DF13A5EC00E75A9E791A3ECF478561C3B13988C553FD739FD2047C37EF91972DBF61AB55D475314
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing old TAP driver.....tapinstall.exe remove tap0901 ..echo Installing TAP driver.....tapinstall.exe install OemVista.inf tap0901 ..echo TAP Driver Re-Installation completed successfully!..exit

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-0NNL9.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):228
                                                                                                                                                                                                                          Entropy (8bit):4.832057381123706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:hiPFvPuaYkVVkZ0BNLllYYLV3GZ0Q/RLQ8NGN8BP:E9HuaYcyZcNLllYbZh/a8NGNc
                                                                                                                                                                                                                          MD5:939DFFC36D36E4C85EE6703C812987E5
                                                                                                                                                                                                                          SHA1:3BA5F451B1F5C269B4F51E847DA79A3C619CB9C9
                                                                                                                                                                                                                          SHA-256:843C2DFB5FE8DFE7C5266F8F79D1E0AC0BA3E40D5C883D4AF879B6F273B7499E
                                                                                                                                                                                                                          SHA-512:8958432897981533C2822AC7355D56FC490EB89157423FAA5DF13A5EC00E75A9E791A3ECF478561C3B13988C553FD739FD2047C37EF91972DBF61AB55D475314
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing old TAP driver.....tapinstall.exe remove tap0901 ..echo Installing TAP driver.....tapinstall.exe install OemVista.inf tap0901 ..echo TAP Driver Re-Installation completed successfully!..exit

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-65EPS.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):142
                                                                                                                                                                                                                          Entropy (8bit):4.838122400792552
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:mKDD2G2FuyPuCkjLoOMXrHt9QVVkUoYmdFwLMiREl32AGN8BvAOA:hiPFvPullYkVVkxYmQLNREVNGN8B6
                                                                                                                                                                                                                          MD5:012961E4DD4402DA78BC174AF09B77F9
                                                                                                                                                                                                                          SHA1:900CA53983FAA217DD134664A9E694138E9A6FDF
                                                                                                                                                                                                                          SHA-256:E7D73C9323599320AFA243DB5313F1A55ADFC34EDE66A4A656CA9172BF3C273D
                                                                                                                                                                                                                          SHA-512:332A6BA6D1923A020DDB36E6E6FA80141B737ECC51EE52EE0D147B85DBC95DD3E97DA20083EAB3F5218DD9F4CA37DA986D35989F251F72C2512A42CBB6B462B9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing TAP driver.....tapinstall.exe remove tap0901..echo TAP Driver Uninstall completed successfully!..exit..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-7ND37.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):39920
                                                                                                                                                                                                                          Entropy (8bit):6.333649052940754
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:bCxLEO/+ApBG35KBOXZZoZmTD11a+uiExMFYQjdJxh63NOe:tCI46F1a+jExMFFjzv69
                                                                                                                                                                                                                          MD5:059E578D456043A8C3B76EC365B375F3
                                                                                                                                                                                                                          SHA1:42189B6A1B8C736397113BFC2283F5E1E1A44E8E
                                                                                                                                                                                                                          SHA-256:A0170CF78105CE757E0549D79E4AE7C412240E8B81D262A24D76A047F181F881
                                                                                                                                                                                                                          SHA-512:99E6B6AF018D0E3509D9DBE00301A7D5D6645A2070A8144ACFF04842F8BBACCD81E7651578D08F47639CD2B7D00EB64ACDDFA8725BCE9A073580B7FCF7964E6A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......].........."......Z.....................@....................................P.....`A....................................................<.......X....p..H....x...#...........R..8............................S...............P...............................text...W>.......@.................. ..h.rdata..|....P.......D..............@..H.data........`.......P..............@....pdata..H....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-CTGSB.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7537
                                                                                                                                                                                                                          Entropy (8bit):5.046488463217706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlQd22bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGMdkxzo3DcNSj6jvKFkinuEQTXvzq
                                                                                                                                                                                                                          MD5:50D29CA2E3DDB8A696923420EC2AC4FA
                                                                                                                                                                                                                          SHA1:D85F4E65FE10F13DED1780DDBD074EDFC75F2D25
                                                                                                                                                                                                                          SHA-256:817DFF7F4944A255A0A33B8D74EB60A755D8D268CC7AFD46FCE41E102E0A004B
                                                                                                                                                                                                                          SHA-512:03778A9CDDD23639C88E24BB5D0446DA3A400BB6B3321FB35887CD23D88D0F7AD3FE911642CC7F8D16D29CD9E42106851B0028379E8DBCB3C6721C238FC4A0D3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-H7LPP.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):507728
                                                                                                                                                                                                                          Entropy (8bit):6.351404653031349
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:6VF7vR03+4YnfLU6wXnSmZb3lKm34AJ9Qvtk1Ai8mTnu5gtZXqg7VcoyUyHi6/Cw:6VXU/3TNfAkTnrZqkyh/agGxwNdUo1h
                                                                                                                                                                                                                          MD5:E313336C82EB265542664CC7A360C5FF
                                                                                                                                                                                                                          SHA1:184211A456E09AC606DB76F814332CC912C0F5EB
                                                                                                                                                                                                                          SHA-256:B6B33F4CD19C606E4C616F08C11FD4AE775ACCB24B78EF66EB31C279CA403381
                                                                                                                                                                                                                          SHA-512:F156F2F55AF7026F5B3D2C5634806C5764FD230521D71969E80BBF6F6571730636DD5F6FE6C1138FA742E12003E5CC5F7D82E729EF7506057F8B510384E52386
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N....cv..cv..cv.Q.r..cv.Q.u..cv.Q.s..cv...s.#cv...r..cv...u..cv.Q.w..cv..cw..cv.~.s..cv.~....cv..c...cv.~.t..cv.Rich.cv.................PE..d......].........."......*...d.......z.........@..........................................`..................................................S..x............... L...x..PG......D.......T............................................@...............................text....).......*.................. ..`.rdata...%...@...&..................@..@.data....(...p.......T..............@....pdata.. L.......N...d..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D............n..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\is-S7TFV.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10711
                                                                                                                                                                                                                          Entropy (8bit):7.2254581318251425
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:PqDhDNF748XJCO39JnxrEwJqKkhYCxXA6qnaj/rHr:OXPJxXxkh3xXhlzX
                                                                                                                                                                                                                          MD5:225E7BA0E5E2D46813E5C858A4D0D5B0
                                                                                                                                                                                                                          SHA1:5DD49014764F634164520583FD0CEC87AB1A1625
                                                                                                                                                                                                                          SHA-256:B0BAF5CB84FA4ACB34B77A6231052061DA6B8676D216833724B7A602622161FB
                                                                                                                                                                                                                          SHA-512:9C77ADF7E71ACA94489DFEB536F796A017B7C05771962274BAE2C614E2AE6799CCEB36CC58AC470184C37F52DEAC75988BB14E6A329F432C6D7CEDBCA18272A8
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0.)...*.H........).0.)....1.0...`.H.e......0..M..+.....7.....>0..:0...+.....7..........dG.'$....g..191023085812Z0...+.....7.....0..T0.... .}..ID.U..;.t.`.U..h.z.F.......K1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .}..ID.U..;.t.`.U..h.z.F.......K0....._Ne...=.....N.._-%1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0.....D.......L..S.4..b.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... .?;..{.x....H..4...k).VB.......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .?;..{.x....H..4...k).VB...........0...0....+.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tap0901.cat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10711
                                                                                                                                                                                                                          Entropy (8bit):7.2254581318251425
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:PqDhDNF748XJCO39JnxrEwJqKkhYCxXA6qnaj/rHr:OXPJxXxkh3xXhlzX
                                                                                                                                                                                                                          MD5:225E7BA0E5E2D46813E5C858A4D0D5B0
                                                                                                                                                                                                                          SHA1:5DD49014764F634164520583FD0CEC87AB1A1625
                                                                                                                                                                                                                          SHA-256:B0BAF5CB84FA4ACB34B77A6231052061DA6B8676D216833724B7A602622161FB
                                                                                                                                                                                                                          SHA-512:9C77ADF7E71ACA94489DFEB536F796A017B7C05771962274BAE2C614E2AE6799CCEB36CC58AC470184C37F52DEAC75988BB14E6A329F432C6D7CEDBCA18272A8
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0.)...*.H........).0.)....1.0...`.H.e......0..M..+.....7.....>0..:0...+.....7..........dG.'$....g..191023085812Z0...+.....7.....0..T0.... .}..ID.U..;.t.`.U..h.z.F.......K1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .}..ID.U..;.t.`.U..h.z.F.......K0....._Ne...=.....N.._-%1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0.....D.......L..S.4..b.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... .?;..{.x....H..4...k).VB.......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .?;..{.x....H..4...k).VB...........0...0....+.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tap0901.sys (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):39920
                                                                                                                                                                                                                          Entropy (8bit):6.333649052940754
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:bCxLEO/+ApBG35KBOXZZoZmTD11a+uiExMFYQjdJxh63NOe:tCI46F1a+jExMFFjzv69
                                                                                                                                                                                                                          MD5:059E578D456043A8C3B76EC365B375F3
                                                                                                                                                                                                                          SHA1:42189B6A1B8C736397113BFC2283F5E1E1A44E8E
                                                                                                                                                                                                                          SHA-256:A0170CF78105CE757E0549D79E4AE7C412240E8B81D262A24D76A047F181F881
                                                                                                                                                                                                                          SHA-512:99E6B6AF018D0E3509D9DBE00301A7D5D6645A2070A8144ACFF04842F8BBACCD81E7651578D08F47639CD2B7D00EB64ACDDFA8725BCE9A073580B7FCF7964E6A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......].........."......Z.....................@....................................P.....`A....................................................<.......X....p..H....x...#...........R..8............................S...............P...............................text...W>.......@.................. ..h.rdata..|....P.......D..............@..H.data........`.......P..............@....pdata..H....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):507728
                                                                                                                                                                                                                          Entropy (8bit):6.351404653031349
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:6VF7vR03+4YnfLU6wXnSmZb3lKm34AJ9Qvtk1Ai8mTnu5gtZXqg7VcoyUyHi6/Cw:6VXU/3TNfAkTnrZqkyh/agGxwNdUo1h
                                                                                                                                                                                                                          MD5:E313336C82EB265542664CC7A360C5FF
                                                                                                                                                                                                                          SHA1:184211A456E09AC606DB76F814332CC912C0F5EB
                                                                                                                                                                                                                          SHA-256:B6B33F4CD19C606E4C616F08C11FD4AE775ACCB24B78EF66EB31C279CA403381
                                                                                                                                                                                                                          SHA-512:F156F2F55AF7026F5B3D2C5634806C5764FD230521D71969E80BBF6F6571730636DD5F6FE6C1138FA742E12003E5CC5F7D82E729EF7506057F8B510384E52386
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N....cv..cv..cv.Q.r..cv.Q.u..cv.Q.s..cv...s.#cv...r..cv...u..cv.Q.w..cv..cw..cv.~.s..cv.~....cv..c...cv.~.t..cv.Rich.cv.................PE..d......].........."......*...d.......z.........@..........................................`..................................................S..x............... L...x..PG......D.......T............................................@...............................text....).......*.................. ..`.rdata...%...@...&..................@..@.data....(...p.......T..............@....pdata.. L.......N...d..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D............n..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\uninstall_tap.bat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):142
                                                                                                                                                                                                                          Entropy (8bit):4.838122400792552
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:mKDD2G2FuyPuCkjLoOMXrHt9QVVkUoYmdFwLMiREl32AGN8BvAOA:hiPFvPullYkVVkxYmQLNREVNGN8B6
                                                                                                                                                                                                                          MD5:012961E4DD4402DA78BC174AF09B77F9
                                                                                                                                                                                                                          SHA1:900CA53983FAA217DD134664A9E694138E9A6FDF
                                                                                                                                                                                                                          SHA-256:E7D73C9323599320AFA243DB5313F1A55ADFC34EDE66A4A656CA9172BF3C273D
                                                                                                                                                                                                                          SHA-512:332A6BA6D1923A020DDB36E6E6FA80141B737ECC51EE52EE0D147B85DBC95DD3E97DA20083EAB3F5218DD9F4CA37DA986D35989F251F72C2512A42CBB6B462B9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing TAP driver.....tapinstall.exe remove tap0901..echo TAP Driver Uninstall completed successfully!..exit..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\i386\OemVista.inf (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7533
                                                                                                                                                                                                                          Entropy (8bit):5.046821594517318
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlP2bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGTxzo3DcNSj6jvKFkinuEQTXvzaZ
                                                                                                                                                                                                                          MD5:3A541F2BF9842CDE6F0C95E83DE14FFA
                                                                                                                                                                                                                          SHA1:12C074F03AA19968893F2BE48FDEF42A293B7EE4
                                                                                                                                                                                                                          SHA-256:598EAD8481136AB0C8C99E67CA30841DB3C32417B45D6FEEDE04802DB0C4C320
                                                                                                                                                                                                                          SHA-512:F060851D26E978AFA6AC632E74C221FB837FDEEE7752762BEE210D7BE144195A27514E108EF8C19A642BC03486E94721BD1B9D4AC69DB26BD892DCAA7894D3D2
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\i386\install_tap.bat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):228
                                                                                                                                                                                                                          Entropy (8bit):4.832057381123706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:hiPFvPuaYkVVkZ0BNLllYYLV3GZ0Q/RLQ8NGN8BP:E9HuaYcyZcNLllYbZh/a8NGNc
                                                                                                                                                                                                                          MD5:939DFFC36D36E4C85EE6703C812987E5
                                                                                                                                                                                                                          SHA1:3BA5F451B1F5C269B4F51E847DA79A3C619CB9C9
                                                                                                                                                                                                                          SHA-256:843C2DFB5FE8DFE7C5266F8F79D1E0AC0BA3E40D5C883D4AF879B6F273B7499E
                                                                                                                                                                                                                          SHA-512:8958432897981533C2822AC7355D56FC490EB89157423FAA5DF13A5EC00E75A9E791A3ECF478561C3B13988C553FD739FD2047C37EF91972DBF61AB55D475314
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing old TAP driver.....tapinstall.exe remove tap0901 ..echo Installing TAP driver.....tapinstall.exe install OemVista.inf tap0901 ..echo TAP Driver Re-Installation completed successfully!..exit

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-K6RGO.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):35008
                                                                                                                                                                                                                          Entropy (8bit):6.574406479237283
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:nNoBjjOOA4dR/uEvBbuALxQbaxJxh639o:No9jyGu+BxLObev6No
                                                                                                                                                                                                                          MD5:77E134EBCD2C8EA7D217EBD61DAAA7B6
                                                                                                                                                                                                                          SHA1:F907526D7F1ED81A6F05BA040DE9E5DBEA421C52
                                                                                                                                                                                                                          SHA-256:CDC110B59A650CF576D7E059DDB1E171BDE50789DD14ABE1199340312177EEDE
                                                                                                                                                                                                                          SHA-512:57C6FFBB7D6D45EB461E2EAFDFA7B01FAAD0130511ED0C07931112FB72F7B1B18829BE3EBF1577DE4337B271F13C5F16528E588807F47A5B483A9BB4BFE6790C
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."..."..."...J..."...J..."...J..."..."..."...J..."...I..."...I."...I..."..Rich."..................PE..L...g..].................N...................P....@.......................................@A....................................P.......X............d...$.......... R..8...........................XR..@............P...............................text....7.......8.................. ..h.rdata..,....P.......<..............@..H.data........`.......B..............@...PAGE....[....p.......D.............. ..`INIT....T............P.............. ..b.rsrc...X............Z..............@..B.reloc...............`..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-M223I.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7533
                                                                                                                                                                                                                          Entropy (8bit):5.046821594517318
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlP2bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGTxzo3DcNSj6jvKFkinuEQTXvzaZ
                                                                                                                                                                                                                          MD5:3A541F2BF9842CDE6F0C95E83DE14FFA
                                                                                                                                                                                                                          SHA1:12C074F03AA19968893F2BE48FDEF42A293B7EE4
                                                                                                                                                                                                                          SHA-256:598EAD8481136AB0C8C99E67CA30841DB3C32417B45D6FEEDE04802DB0C4C320
                                                                                                                                                                                                                          SHA-512:F060851D26E978AFA6AC632E74C221FB837FDEEE7752762BEE210D7BE144195A27514E108EF8C19A642BC03486E94721BD1B9D4AC69DB26BD892DCAA7894D3D2
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-QFN6K.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):228
                                                                                                                                                                                                                          Entropy (8bit):4.832057381123706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:hiPFvPuaYkVVkZ0BNLllYYLV3GZ0Q/RLQ8NGN8BP:E9HuaYcyZcNLllYbZh/a8NGNc
                                                                                                                                                                                                                          MD5:939DFFC36D36E4C85EE6703C812987E5
                                                                                                                                                                                                                          SHA1:3BA5F451B1F5C269B4F51E847DA79A3C619CB9C9
                                                                                                                                                                                                                          SHA-256:843C2DFB5FE8DFE7C5266F8F79D1E0AC0BA3E40D5C883D4AF879B6F273B7499E
                                                                                                                                                                                                                          SHA-512:8958432897981533C2822AC7355D56FC490EB89157423FAA5DF13A5EC00E75A9E791A3ECF478561C3B13988C553FD739FD2047C37EF91972DBF61AB55D475314
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing old TAP driver.....tapinstall.exe remove tap0901 ..echo Installing TAP driver.....tapinstall.exe install OemVista.inf tap0901 ..echo TAP Driver Re-Installation completed successfully!..exit

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-SFHT4.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):142
                                                                                                                                                                                                                          Entropy (8bit):4.838122400792552
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:mKDD2G2FuyPuCkjLoOMXrHt9QVVkUoYmdFwLMiREl32AGN8BvAOA:hiPFvPullYkVVkxYmQLNREVNGN8B6
                                                                                                                                                                                                                          MD5:012961E4DD4402DA78BC174AF09B77F9
                                                                                                                                                                                                                          SHA1:900CA53983FAA217DD134664A9E694138E9A6FDF
                                                                                                                                                                                                                          SHA-256:E7D73C9323599320AFA243DB5313F1A55ADFC34EDE66A4A656CA9172BF3C273D
                                                                                                                                                                                                                          SHA-512:332A6BA6D1923A020DDB36E6E6FA80141B737ECC51EE52EE0D147B85DBC95DD3E97DA20083EAB3F5218DD9F4CA37DA986D35989F251F72C2512A42CBB6B462B9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing TAP driver.....tapinstall.exe remove tap0901..echo TAP Driver Uninstall completed successfully!..exit..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-U2LBU.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):396840
                                                                                                                                                                                                                          Entropy (8bit):6.504700092936786
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:mkska7m3uFm4uy6b10MtxnOrPdmBe3oIkm:mAawb109dmBK5
                                                                                                                                                                                                                          MD5:D680D27DCC19546B721F731384EE56DD
                                                                                                                                                                                                                          SHA1:B418C1B8CB5E8259F9C8CBED29676AD101A15425
                                                                                                                                                                                                                          SHA-256:E64E59A011D45C5D9D93AC79305A060244796040FCFBA112D7F8218F945C7602
                                                                                                                                                                                                                          SHA-512:B495D60E97A782EDA01833F3A45AC03E5F2E6E629D7117ED34E6EA411E85FD8A012C21BD793ED59D7B352F3AA7552209F46203680974CCB57D003A1C690F476B
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........b...1...1...1..0...1..0{..1..0.1C.0..1C.0.1C.0.1..0...1...1b..1..0...1..p1...1...1...1..0...1Rich...1........PE..L......].................<..........`m.......P....@.......................................@.....................................x.......................(H.......$......T...........................(...@............P..h............................text....;.......<.................. ..`.rdata..J....P.......@..............@..@.data...l...........................@....rsrc...............................@..@.reloc...$.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\i386\is-VU56I.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10866
                                                                                                                                                                                                                          Entropy (8bit):7.241389894622462
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:LBDMDT23rJCeS39JnxrEwJqKkhYC9jOVKEwkqnajNkwIetug:LXdoJxXxkh39qVKtklJGNg
                                                                                                                                                                                                                          MD5:6A3C291EB986A23B427ECF92779C6902
                                                                                                                                                                                                                          SHA1:C96B9791A0F5AC27F84E2F3E06E64C8513168477
                                                                                                                                                                                                                          SHA-256:C996AA42A022F1DE293F14445FEC7038A7CDC6AA2C4632C5CCA07ED53F88F762
                                                                                                                                                                                                                          SHA-512:1FC247B10FB3717344174FC66EDD6ACC5DF171EDF9F70081715CA4C62499D6673B777B635EA043B397F6933201150E8D8EE28309BFA7F6F96326562D43BB6640
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0.*n..*.H........*_0.*[...1.0...`.H.e......0.....+.....7......0...0...+.....7.....atM...lN....n>....191023090129Z0...+.....7.....0..T0......t.:..h.?+...*);~.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0.... Y.....j...g.0....$..]o....-... 1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... Y.....j...g.0....$..]o....-... 0.......R.....Q.8Y....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... ..xq....X.QO@....|s6..*.xV. .,.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..xq....X.QO@....|s6..*.xV. .,...e0..a0....+.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\i386\tap0901.cat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10866
                                                                                                                                                                                                                          Entropy (8bit):7.241389894622462
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:LBDMDT23rJCeS39JnxrEwJqKkhYC9jOVKEwkqnajNkwIetug:LXdoJxXxkh39qVKtklJGNg
                                                                                                                                                                                                                          MD5:6A3C291EB986A23B427ECF92779C6902
                                                                                                                                                                                                                          SHA1:C96B9791A0F5AC27F84E2F3E06E64C8513168477
                                                                                                                                                                                                                          SHA-256:C996AA42A022F1DE293F14445FEC7038A7CDC6AA2C4632C5CCA07ED53F88F762
                                                                                                                                                                                                                          SHA-512:1FC247B10FB3717344174FC66EDD6ACC5DF171EDF9F70081715CA4C62499D6673B777B635EA043B397F6933201150E8D8EE28309BFA7F6F96326562D43BB6640
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0.*n..*.H........*_0.*[...1.0...`.H.e......0.....+.....7......0...0...+.....7.....atM...lN....n>....191023090129Z0...+.....7.....0..T0......t.:..h.?+...*);~.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0.... Y.....j...g.0....$..]o....-... 1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... Y.....j...g.0....$..]o....-... 0.......R.....Q.8Y....1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... ..xq....X.QO@....|s6..*.xV. .,.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..xq....X.QO@....|s6..*.xV. .,...e0..a0....+.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\i386\tap0901.sys (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):35008
                                                                                                                                                                                                                          Entropy (8bit):6.574406479237283
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:nNoBjjOOA4dR/uEvBbuALxQbaxJxh639o:No9jyGu+BxLObev6No
                                                                                                                                                                                                                          MD5:77E134EBCD2C8EA7D217EBD61DAAA7B6
                                                                                                                                                                                                                          SHA1:F907526D7F1ED81A6F05BA040DE9E5DBEA421C52
                                                                                                                                                                                                                          SHA-256:CDC110B59A650CF576D7E059DDB1E171BDE50789DD14ABE1199340312177EEDE
                                                                                                                                                                                                                          SHA-512:57C6FFBB7D6D45EB461E2EAFDFA7B01FAAD0130511ED0C07931112FB72F7B1B18829BE3EBF1577DE4337B271F13C5F16528E588807F47A5B483A9BB4BFE6790C
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."..."..."...J..."...J..."...J..."..."..."...J..."...I..."...I."...I..."..Rich."..................PE..L...g..].................N...................P....@.......................................@A....................................P.......X............d...$.......... R..8...........................XR..@............P...............................text....7.......8.................. ..h.rdata..,....P.......<..............@..H.data........`.......B..............@...PAGE....[....p.......D.............. ..`INIT....T............P.............. ..b.rsrc...X............Z..............@..B.reloc...............`..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\i386\tapinstall.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):396840
                                                                                                                                                                                                                          Entropy (8bit):6.504700092936786
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:mkska7m3uFm4uy6b10MtxnOrPdmBe3oIkm:mAawb109dmBK5
                                                                                                                                                                                                                          MD5:D680D27DCC19546B721F731384EE56DD
                                                                                                                                                                                                                          SHA1:B418C1B8CB5E8259F9C8CBED29676AD101A15425
                                                                                                                                                                                                                          SHA-256:E64E59A011D45C5D9D93AC79305A060244796040FCFBA112D7F8218F945C7602
                                                                                                                                                                                                                          SHA-512:B495D60E97A782EDA01833F3A45AC03E5F2E6E629D7117ED34E6EA411E85FD8A012C21BD793ED59D7B352F3AA7552209F46203680974CCB57D003A1C690F476B
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........b...1...1...1..0...1..0{..1..0.1C.0..1C.0.1C.0.1..0...1...1b..1..0...1..p1...1...1...1..0...1Rich...1........PE..L......].................<..........`m.......P....@.......................................@.....................................x.......................(H.......$......T...........................(...@............P..h............................text....;.......<.................. ..`.rdata..J....P.......@..............@..@.data...l...........................@....rsrc...............................@..@.reloc...$.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows10\i386\uninstall_tap.bat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):142
                                                                                                                                                                                                                          Entropy (8bit):4.838122400792552
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:mKDD2G2FuyPuCkjLoOMXrHt9QVVkUoYmdFwLMiREl32AGN8BvAOA:hiPFvPullYkVVkxYmQLNREVNGN8B6
                                                                                                                                                                                                                          MD5:012961E4DD4402DA78BC174AF09B77F9
                                                                                                                                                                                                                          SHA1:900CA53983FAA217DD134664A9E694138E9A6FDF
                                                                                                                                                                                                                          SHA-256:E7D73C9323599320AFA243DB5313F1A55ADFC34EDE66A4A656CA9172BF3C273D
                                                                                                                                                                                                                          SHA-512:332A6BA6D1923A020DDB36E6E6FA80141B737ECC51EE52EE0D147B85DBC95DD3E97DA20083EAB3F5218DD9F4CA37DA986D35989F251F72C2512A42CBB6B462B9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing TAP driver.....tapinstall.exe remove tap0901..echo TAP Driver Uninstall completed successfully!..exit..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\amd64\OemVista.inf (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7537
                                                                                                                                                                                                                          Entropy (8bit):5.046488463217706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlQd22bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGMdkxzo3DcNSj6jvKFkinuEQTXvzq
                                                                                                                                                                                                                          MD5:50D29CA2E3DDB8A696923420EC2AC4FA
                                                                                                                                                                                                                          SHA1:D85F4E65FE10F13DED1780DDBD074EDFC75F2D25
                                                                                                                                                                                                                          SHA-256:817DFF7F4944A255A0A33B8D74EB60A755D8D268CC7AFD46FCE41E102E0A004B
                                                                                                                                                                                                                          SHA-512:03778A9CDDD23639C88E24BB5D0446DA3A400BB6B3321FB35887CD23D88D0F7AD3FE911642CC7F8D16D29CD9E42106851B0028379E8DBCB3C6721C238FC4A0D3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\amd64\install_tap.bat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):228
                                                                                                                                                                                                                          Entropy (8bit):4.832057381123706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:hiPFvPuaYkVVkZ0BNLllYYLV3GZ0Q/RLQ8NGN8BP:E9HuaYcyZcNLllYbZh/a8NGNc
                                                                                                                                                                                                                          MD5:939DFFC36D36E4C85EE6703C812987E5
                                                                                                                                                                                                                          SHA1:3BA5F451B1F5C269B4F51E847DA79A3C619CB9C9
                                                                                                                                                                                                                          SHA-256:843C2DFB5FE8DFE7C5266F8F79D1E0AC0BA3E40D5C883D4AF879B6F273B7499E
                                                                                                                                                                                                                          SHA-512:8958432897981533C2822AC7355D56FC490EB89157423FAA5DF13A5EC00E75A9E791A3ECF478561C3B13988C553FD739FD2047C37EF91972DBF61AB55D475314
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing old TAP driver.....tapinstall.exe remove tap0901 ..echo Installing TAP driver.....tapinstall.exe install OemVista.inf tap0901 ..echo TAP Driver Re-Installation completed successfully!..exit

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-9VP29.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10042
                                                                                                                                                                                                                          Entropy (8bit):7.139091215265505
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:rrIa34E9odZubhd95wRLeOup+ZscF8Bd1LEqsa9sgfxIZH54o:nCZYQA9+ZsHLEhDgf2h54o
                                                                                                                                                                                                                          MD5:685D08D5E2A2450648A40B518E2046FC
                                                                                                                                                                                                                          SHA1:D99E38968DE1CA1850971A2B81BFDAB49626AAED
                                                                                                                                                                                                                          SHA-256:56A658934ACC55AD665D685AE05913B4710E053A8FD385C0798B96041DA161B2
                                                                                                                                                                                                                          SHA-512:619D08317328B351FEEA51C08C57B4704EEA0A92836D6ED3BE850478EA6A9C2A14DFA30C763581608E16983010AB2E12B51E3BEC68F3480EE45A04C0E857FDB7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0.'6..*.H........''0.'#...1.0...`.H.e......0..Z..+.....7.....K0..G0...+.....7........N.u.C...y].7...191031061137Z0...+.....7.....0...0....R0.5.1.7.3.7.1.7.7.5.6.C.F.1.9.7.8.D.3.7.8.6.4.5.A.D.A.C.6.D.6.F.3.3.5.3.C.7.C.B...1../0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0>..+.....7...100....O.S.A.t.t.r........2.:.6...0.,.2.:.6...1...0M..+.....7...1?0=0...+.....7...0...........0!0...+..........7.ul.7.E..mo3S..0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RD.8.5.F.4.E.6.5.F.E.1.0.F.1.3.D.E.D.1.7.8.0.D.D.B.D.0.7.4.E.D.F.C.7.5.F.2.D.2.5...1..)0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0>..+.....7...100....O.S.A.t.t.r........2.:.6...0.,.2.:.6...1...0E..+.....7...17050...+.....7.......0!0...+........._Ne...=.....N.._-%0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......0..0v..+.....7....h0f...O.S.......XV.i.s.t.a.X.6.4.,.S.e.r.v.e.r.2.0.0.8.X.6.4.,

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-BL4HS.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):39384
                                                                                                                                                                                                                          Entropy (8bit):6.220766637489946
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:7CxLEO/+ApBG35KBOXZZoZmTf11a+uiExMFYQjEPKgz:NCI46R1a+jExMFFjWR
                                                                                                                                                                                                                          MD5:2CCA8DC5DA7F197C8C97A2EEBCBFA908
                                                                                                                                                                                                                          SHA1:1A463168F91A6AE254A3E99CE2691F9E7DBC2D46
                                                                                                                                                                                                                          SHA-256:AA1EA00EA7D1FD8E404FB5FEFF948CFB86642F803BDF23D8262B8A0C1151B643
                                                                                                                                                                                                                          SHA-512:AFBF92EA4A3C21048DC25FDC59779A0F20D6687CE9B2D0291268ED2D82A7020595AF2633EAE8623706162C36B24F6E8E70FA73F9D1088E2AB91BA8EAFB8E948F
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d....z.].........."......Z.....................@....................................:.....`A....................................................<.......X....p..H....x...!...........R..8............................S...............P...............................text...W>.......@.................. ..h.rdata..|....P.......D..............@..H.data........`.......P..............@....pdata..H....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-HFF22.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):498504
                                                                                                                                                                                                                          Entropy (8bit):6.313132779768202
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:iVF7vR03+4YnfLU6wXnSmZb3lKm34AJ9Qvtk1Ai8mTnu5gtZXqg7VcoyUyHi6/Cz:iVXU/3TNfAkTnrZqkyh/agGKwNdUo15
                                                                                                                                                                                                                          MD5:F19CFFFF76FF48E98F060A563DD8345B
                                                                                                                                                                                                                          SHA1:C77F3FE9FFBA02DE288661FBB66656791196EDBC
                                                                                                                                                                                                                          SHA-256:16D1FF6409065D9C0BC50FC2ADE61B3299A141CF2553749D8891BEDBEA43DE70
                                                                                                                                                                                                                          SHA-512:0D4A53FA4B0D4FF71AF1FFF5888005570404BF5309942F477B1D754073F6D200ABADE20DAAFFA3FB6DA55F2B23588CA439273BD9268257B83B00F973B7B61841
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N....cv..cv..cv.Q.r..cv.Q.u..cv.Q.s..cv...s.#cv...r..cv...u..cv.Q.w..cv..cw..cv.~.s..cv.~....cv..c...cv.~.t..cv.Rich.cv.................PE..d....z.].........."......*...d.......z.........@..........................................`..................................................S..x............... L...x..H#......D.......T............................................@...............................text....).......*.................. ..`.rdata...%...@...&..................@..@.data....(...p.......T..............@....pdata.. L.......N...d..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D............n..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-IKS87.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7537
                                                                                                                                                                                                                          Entropy (8bit):5.046488463217706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlQd22bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGMdkxzo3DcNSj6jvKFkinuEQTXvzq
                                                                                                                                                                                                                          MD5:50D29CA2E3DDB8A696923420EC2AC4FA
                                                                                                                                                                                                                          SHA1:D85F4E65FE10F13DED1780DDBD074EDFC75F2D25
                                                                                                                                                                                                                          SHA-256:817DFF7F4944A255A0A33B8D74EB60A755D8D268CC7AFD46FCE41E102E0A004B
                                                                                                                                                                                                                          SHA-512:03778A9CDDD23639C88E24BB5D0446DA3A400BB6B3321FB35887CD23D88D0F7AD3FE911642CC7F8D16D29CD9E42106851B0028379E8DBCB3C6721C238FC4A0D3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-N9GRR.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):228
                                                                                                                                                                                                                          Entropy (8bit):4.832057381123706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:hiPFvPuaYkVVkZ0BNLllYYLV3GZ0Q/RLQ8NGN8BP:E9HuaYcyZcNLllYbZh/a8NGNc
                                                                                                                                                                                                                          MD5:939DFFC36D36E4C85EE6703C812987E5
                                                                                                                                                                                                                          SHA1:3BA5F451B1F5C269B4F51E847DA79A3C619CB9C9
                                                                                                                                                                                                                          SHA-256:843C2DFB5FE8DFE7C5266F8F79D1E0AC0BA3E40D5C883D4AF879B6F273B7499E
                                                                                                                                                                                                                          SHA-512:8958432897981533C2822AC7355D56FC490EB89157423FAA5DF13A5EC00E75A9E791A3ECF478561C3B13988C553FD739FD2047C37EF91972DBF61AB55D475314
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing old TAP driver.....tapinstall.exe remove tap0901 ..echo Installing TAP driver.....tapinstall.exe install OemVista.inf tap0901 ..echo TAP Driver Re-Installation completed successfully!..exit

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\amd64\is-PB0U9.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):142
                                                                                                                                                                                                                          Entropy (8bit):4.838122400792552
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:mKDD2G2FuyPuCkjLoOMXrHt9QVVkUoYmdFwLMiREl32AGN8BvAOA:hiPFvPullYkVVkxYmQLNREVNGN8B6
                                                                                                                                                                                                                          MD5:012961E4DD4402DA78BC174AF09B77F9
                                                                                                                                                                                                                          SHA1:900CA53983FAA217DD134664A9E694138E9A6FDF
                                                                                                                                                                                                                          SHA-256:E7D73C9323599320AFA243DB5313F1A55ADFC34EDE66A4A656CA9172BF3C273D
                                                                                                                                                                                                                          SHA-512:332A6BA6D1923A020DDB36E6E6FA80141B737ECC51EE52EE0D147B85DBC95DD3E97DA20083EAB3F5218DD9F4CA37DA986D35989F251F72C2512A42CBB6B462B9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing TAP driver.....tapinstall.exe remove tap0901..echo TAP Driver Uninstall completed successfully!..exit..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\amd64\tap0901.cat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10042
                                                                                                                                                                                                                          Entropy (8bit):7.139091215265505
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:rrIa34E9odZubhd95wRLeOup+ZscF8Bd1LEqsa9sgfxIZH54o:nCZYQA9+ZsHLEhDgf2h54o
                                                                                                                                                                                                                          MD5:685D08D5E2A2450648A40B518E2046FC
                                                                                                                                                                                                                          SHA1:D99E38968DE1CA1850971A2B81BFDAB49626AAED
                                                                                                                                                                                                                          SHA-256:56A658934ACC55AD665D685AE05913B4710E053A8FD385C0798B96041DA161B2
                                                                                                                                                                                                                          SHA-512:619D08317328B351FEEA51C08C57B4704EEA0A92836D6ED3BE850478EA6A9C2A14DFA30C763581608E16983010AB2E12B51E3BEC68F3480EE45A04C0E857FDB7
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0.'6..*.H........''0.'#...1.0...`.H.e......0..Z..+.....7.....K0..G0...+.....7........N.u.C...y].7...191031061137Z0...+.....7.....0...0....R0.5.1.7.3.7.1.7.7.5.6.C.F.1.9.7.8.D.3.7.8.6.4.5.A.D.A.C.6.D.6.F.3.3.5.3.C.7.C.B...1../0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0>..+.....7...100....O.S.A.t.t.r........2.:.6...0.,.2.:.6...1...0M..+.....7...1?0=0...+.....7...0...........0!0...+..........7.ul.7.E..mo3S..0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RD.8.5.F.4.E.6.5.F.E.1.0.F.1.3.D.E.D.1.7.8.0.D.D.B.D.0.7.4.E.D.F.C.7.5.F.2.D.2.5...1..)0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0>..+.....7...100....O.S.A.t.t.r........2.:.6...0.,.2.:.6...1...0E..+.....7...17050...+.....7.......0!0...+........._Ne...=.....N.._-%0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......0..0v..+.....7....h0f...O.S.......XV.i.s.t.a.X.6.4.,.S.e.r.v.e.r.2.0.0.8.X.6.4.,

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\amd64\tap0901.sys (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):39384
                                                                                                                                                                                                                          Entropy (8bit):6.220766637489946
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:7CxLEO/+ApBG35KBOXZZoZmTf11a+uiExMFYQjEPKgz:NCI46R1a+jExMFFjWR
                                                                                                                                                                                                                          MD5:2CCA8DC5DA7F197C8C97A2EEBCBFA908
                                                                                                                                                                                                                          SHA1:1A463168F91A6AE254A3E99CE2691F9E7DBC2D46
                                                                                                                                                                                                                          SHA-256:AA1EA00EA7D1FD8E404FB5FEFF948CFB86642F803BDF23D8262B8A0C1151B643
                                                                                                                                                                                                                          SHA-512:AFBF92EA4A3C21048DC25FDC59779A0F20D6687CE9B2D0291268ED2D82A7020595AF2633EAE8623706162C36B24F6E8E70FA73F9D1088E2AB91BA8EAFB8E948F
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d....z.].........."......Z.....................@....................................:.....`A....................................................<.......X....p..H....x...!...........R..8............................S...............P...............................text...W>.......@.................. ..h.rdata..|....P.......D..............@..H.data........`.......P..............@....pdata..H....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\amd64\tapinstall.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):498504
                                                                                                                                                                                                                          Entropy (8bit):6.313132779768202
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:iVF7vR03+4YnfLU6wXnSmZb3lKm34AJ9Qvtk1Ai8mTnu5gtZXqg7VcoyUyHi6/Cz:iVXU/3TNfAkTnrZqkyh/agGKwNdUo15
                                                                                                                                                                                                                          MD5:F19CFFFF76FF48E98F060A563DD8345B
                                                                                                                                                                                                                          SHA1:C77F3FE9FFBA02DE288661FBB66656791196EDBC
                                                                                                                                                                                                                          SHA-256:16D1FF6409065D9C0BC50FC2ADE61B3299A141CF2553749D8891BEDBEA43DE70
                                                                                                                                                                                                                          SHA-512:0D4A53FA4B0D4FF71AF1FFF5888005570404BF5309942F477B1D754073F6D200ABADE20DAAFFA3FB6DA55F2B23588CA439273BD9268257B83B00F973B7B61841
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N....cv..cv..cv.Q.r..cv.Q.u..cv.Q.s..cv...s.#cv...r..cv...u..cv.Q.w..cv..cw..cv.~.s..cv.~....cv..c...cv.~.t..cv.Rich.cv.................PE..d....z.].........."......*...d.......z.........@..........................................`..................................................S..x............... L...x..H#......D.......T............................................@...............................text....).......*.................. ..`.rdata...%...@...&..................@..@.data....(...p.......T..............@....pdata.. L.......N...d..............@..@_RDATA..............................@..@.rsrc...............................@..@.reloc..D............n..............@..B................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\amd64\uninstall_tap.bat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):142
                                                                                                                                                                                                                          Entropy (8bit):4.838122400792552
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:mKDD2G2FuyPuCkjLoOMXrHt9QVVkUoYmdFwLMiREl32AGN8BvAOA:hiPFvPullYkVVkxYmQLNREVNGN8B6
                                                                                                                                                                                                                          MD5:012961E4DD4402DA78BC174AF09B77F9
                                                                                                                                                                                                                          SHA1:900CA53983FAA217DD134664A9E694138E9A6FDF
                                                                                                                                                                                                                          SHA-256:E7D73C9323599320AFA243DB5313F1A55ADFC34EDE66A4A656CA9172BF3C273D
                                                                                                                                                                                                                          SHA-512:332A6BA6D1923A020DDB36E6E6FA80141B737ECC51EE52EE0D147B85DBC95DD3E97DA20083EAB3F5218DD9F4CA37DA986D35989F251F72C2512A42CBB6B462B9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing TAP driver.....tapinstall.exe remove tap0901..echo TAP Driver Uninstall completed successfully!..exit..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\i386\OemVista.inf (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7533
                                                                                                                                                                                                                          Entropy (8bit):5.046821594517318
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlP2bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGTxzo3DcNSj6jvKFkinuEQTXvzaZ
                                                                                                                                                                                                                          MD5:3A541F2BF9842CDE6F0C95E83DE14FFA
                                                                                                                                                                                                                          SHA1:12C074F03AA19968893F2BE48FDEF42A293B7EE4
                                                                                                                                                                                                                          SHA-256:598EAD8481136AB0C8C99E67CA30841DB3C32417B45D6FEEDE04802DB0C4C320
                                                                                                                                                                                                                          SHA-512:F060851D26E978AFA6AC632E74C221FB837FDEEE7752762BEE210D7BE144195A27514E108EF8C19A642BC03486E94721BD1B9D4AC69DB26BD892DCAA7894D3D2
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\i386\install_tap.bat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):228
                                                                                                                                                                                                                          Entropy (8bit):4.832057381123706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:hiPFvPuaYkVVkZ0BNLllYYLV3GZ0Q/RLQ8NGN8BP:E9HuaYcyZcNLllYbZh/a8NGNc
                                                                                                                                                                                                                          MD5:939DFFC36D36E4C85EE6703C812987E5
                                                                                                                                                                                                                          SHA1:3BA5F451B1F5C269B4F51E847DA79A3C619CB9C9
                                                                                                                                                                                                                          SHA-256:843C2DFB5FE8DFE7C5266F8F79D1E0AC0BA3E40D5C883D4AF879B6F273B7499E
                                                                                                                                                                                                                          SHA-512:8958432897981533C2822AC7355D56FC490EB89157423FAA5DF13A5EC00E75A9E791A3ECF478561C3B13988C553FD739FD2047C37EF91972DBF61AB55D475314
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing old TAP driver.....tapinstall.exe remove tap0901 ..echo Installing TAP driver.....tapinstall.exe install OemVista.inf tap0901 ..echo TAP Driver Re-Installation completed successfully!..exit

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-03F1A.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):142
                                                                                                                                                                                                                          Entropy (8bit):4.838122400792552
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:mKDD2G2FuyPuCkjLoOMXrHt9QVVkUoYmdFwLMiREl32AGN8BvAOA:hiPFvPullYkVVkxYmQLNREVNGN8B6
                                                                                                                                                                                                                          MD5:012961E4DD4402DA78BC174AF09B77F9
                                                                                                                                                                                                                          SHA1:900CA53983FAA217DD134664A9E694138E9A6FDF
                                                                                                                                                                                                                          SHA-256:E7D73C9323599320AFA243DB5313F1A55ADFC34EDE66A4A656CA9172BF3C273D
                                                                                                                                                                                                                          SHA-512:332A6BA6D1923A020DDB36E6E6FA80141B737ECC51EE52EE0D147B85DBC95DD3E97DA20083EAB3F5218DD9F4CA37DA986D35989F251F72C2512A42CBB6B462B9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing TAP driver.....tapinstall.exe remove tap0901..echo TAP Driver Uninstall completed successfully!..exit..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-5T7N4.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7533
                                                                                                                                                                                                                          Entropy (8bit):5.046821594517318
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlP2bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGTxzo3DcNSj6jvKFkinuEQTXvzaZ
                                                                                                                                                                                                                          MD5:3A541F2BF9842CDE6F0C95E83DE14FFA
                                                                                                                                                                                                                          SHA1:12C074F03AA19968893F2BE48FDEF42A293B7EE4
                                                                                                                                                                                                                          SHA-256:598EAD8481136AB0C8C99E67CA30841DB3C32417B45D6FEEDE04802DB0C4C320
                                                                                                                                                                                                                          SHA-512:F060851D26E978AFA6AC632E74C221FB837FDEEE7752762BEE210D7BE144195A27514E108EF8C19A642BC03486E94721BD1B9D4AC69DB26BD892DCAA7894D3D2
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-IVL3H.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):228
                                                                                                                                                                                                                          Entropy (8bit):4.832057381123706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:hiPFvPuaYkVVkZ0BNLllYYLV3GZ0Q/RLQ8NGN8BP:E9HuaYcyZcNLllYbZh/a8NGNc
                                                                                                                                                                                                                          MD5:939DFFC36D36E4C85EE6703C812987E5
                                                                                                                                                                                                                          SHA1:3BA5F451B1F5C269B4F51E847DA79A3C619CB9C9
                                                                                                                                                                                                                          SHA-256:843C2DFB5FE8DFE7C5266F8F79D1E0AC0BA3E40D5C883D4AF879B6F273B7499E
                                                                                                                                                                                                                          SHA-512:8958432897981533C2822AC7355D56FC490EB89157423FAA5DF13A5EC00E75A9E791A3ECF478561C3B13988C553FD739FD2047C37EF91972DBF61AB55D475314
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing old TAP driver.....tapinstall.exe remove tap0901 ..echo Installing TAP driver.....tapinstall.exe install OemVista.inf tap0901 ..echo TAP Driver Re-Installation completed successfully!..exit

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-L35S6.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):387400
                                                                                                                                                                                                                          Entropy (8bit):6.458236487570103
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:UTksWxn+v8a7/e3uFm4uy6b1aptMtx1IAOrPdmB4SS4Vw3VTBZiA916NkW:Akska7m3uFm4uy6b10MtxnOrPdmBe3XE
                                                                                                                                                                                                                          MD5:46F33BBA03FF35C0A777B5875E832559
                                                                                                                                                                                                                          SHA1:C4B5487307DB1B715EDA5C233DBD346EF44ABF02
                                                                                                                                                                                                                          SHA-256:72D329B11A240403A74990F7F05CDDA684F53FBFC1E45EE3E565E38000C6FDA1
                                                                                                                                                                                                                          SHA-512:7130F9DEE420D2A377E3CDAE0C47D1F8446E2DA4E021274A15F4FD00583F79C0DBF05819216ABBAAE5493BF1CB1E4FA08EFA673CCDA1BC3A623BAEC828DFC413
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........b...1...1...1..0...1..0{..1..0.1C.0..1C.0.1C.0.1..0...1...1b..1..0...1..p1...1...1...1..0...1Rich...1........PE..L....z.].................<..........`m.......P....@.................................~.....@.....................................x.......................H#.......$......T...........................(...@............P..h............................text....;.......<.................. ..`.rdata..J....P.......@..............@..@.data...l...........................@....rsrc...............................@..@.reloc...$.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-QQCFD.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):34264
                                                                                                                                                                                                                          Entropy (8bit):6.451114076364161
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:nToflu9IisjjMJvOA4hKtbAwut9l/AxkDur/MvBhLwI7PKA+bkxQJ7XakZSZ4dS5:nToBjjOOA4dR/uQvBbuALxQbagPKgzW
                                                                                                                                                                                                                          MD5:EF55CAAABD0E13C304587D941C343F77
                                                                                                                                                                                                                          SHA1:F0E323EF510E00FC925A7FB37C625D077FECA8A3
                                                                                                                                                                                                                          SHA-256:A4E2E4194E15BC93A53FFAB121CCE22CC76EDBC18DFB83132A95F92C9220509F
                                                                                                                                                                                                                          SHA-512:D2C61CCB73C90D26A4D39EBADE87A6F7F23CAA34B29AE14FFA08CA48A32086C6553CA12D38362B6179E82776F3D76F4B05FDD2238B5E7BE4FEEC98A4D8D52573
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."..."..."...J..."...J..."...J..."..."..."...J..."...I..."...I."...I..."..Rich."..................PE..L....z.].................N...................P....@.......................................@A....................................P.......X............d...!.......... R..8...........................XR..@............P...............................text....7.......8.................. ..h.rdata..,....P.......<..............@..H.data........`.......B..............@...PAGE....[....p.......D.............. ..`INIT....T............P.............. ..b.rsrc...X............Z..............@..B.reloc...............`..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\i386\is-T2HN9.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10010
                                                                                                                                                                                                                          Entropy (8bit):7.143392930093258
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:bdOUGdndfdZubhd95wRLeOup+ZscF8Bd1LELx8a9sgfxIZH3:p7oFZYQA9+ZsHLE98Dgf2h3
                                                                                                                                                                                                                          MD5:BEE546D1A9EE2F74F4C9B0A347DBAB7C
                                                                                                                                                                                                                          SHA1:BB655AEDDFACE5C498DC8EC5A3E68685FDFE6D50
                                                                                                                                                                                                                          SHA-256:DBC0D9D157718C90227D527A9BFC87C9135426A7A1A7C0ECD3F43825AAA2EE0E
                                                                                                                                                                                                                          SHA-512:B68F5F6572BB881B116746AB1BF90AE1E16449E0797D482B1D5A551241ED37A30EF105AECA7B1CEB62CB38962B285D29159B9E68DC1BC3B457B2A14531A80F44
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0.'...*.H........'.0.'....1.0...`.H.e......0..:..+.....7.....+0..'0...+.....7.....\.6.D..E..Wm(.p...191031061137Z0...+.....7.....0...0....R1.2.C.0.7.4.F.0.3.A.A.1.9.9.6.8.8.9.3.F.2.B.E.4.8.F.D.E.F.4.2.A.2.9.3.B.7.E.E.4...1..)0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0>..+.....7...100....O.S.A.t.t.r........2.:.6...0.,.2.:.6...1...0E..+.....7...17050...+.....7.......0!0...+..........t.:..h.?+...*);~.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RA.F.B.A.B.0.D.E.D.C.D.F.C.2.1.F.3.6.4.E.D.0.2.4.6.9.0.4.8.1.A.F.D.C.8.D.3.6.E.1...1../0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0>..+.....7...100....O.S.A.t.t.r........2.:.6...0.,.2.:.6...1...0M..+.....7...1?0=0...+.....7...0...........0!0...+................6N.$i....6.0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......0..0V..+.....7....H0F...O.S.......8V.i.s.t.a.X.8.6.,.S.e.r.v.e.r.2.0.0.8.X.8.6.,

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\i386\tap0901.cat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10010
                                                                                                                                                                                                                          Entropy (8bit):7.143392930093258
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:bdOUGdndfdZubhd95wRLeOup+ZscF8Bd1LELx8a9sgfxIZH3:p7oFZYQA9+ZsHLE98Dgf2h3
                                                                                                                                                                                                                          MD5:BEE546D1A9EE2F74F4C9B0A347DBAB7C
                                                                                                                                                                                                                          SHA1:BB655AEDDFACE5C498DC8EC5A3E68685FDFE6D50
                                                                                                                                                                                                                          SHA-256:DBC0D9D157718C90227D527A9BFC87C9135426A7A1A7C0ECD3F43825AAA2EE0E
                                                                                                                                                                                                                          SHA-512:B68F5F6572BB881B116746AB1BF90AE1E16449E0797D482B1D5A551241ED37A30EF105AECA7B1CEB62CB38962B285D29159B9E68DC1BC3B457B2A14531A80F44
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0.'...*.H........'.0.'....1.0...`.H.e......0..:..+.....7.....+0..'0...+.....7.....\.6.D..E..Wm(.p...191031061137Z0...+.....7.....0...0....R1.2.C.0.7.4.F.0.3.A.A.1.9.9.6.8.8.9.3.F.2.B.E.4.8.F.D.E.F.4.2.A.2.9.3.B.7.E.E.4...1..)0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0>..+.....7...100....O.S.A.t.t.r........2.:.6...0.,.2.:.6...1...0E..+.....7...17050...+.....7.......0!0...+..........t.:..h.?+...*);~.0b..+.....7...1T0R.L.{.D.E.3.5.1.A.4.2.-.8.E.5.9.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}....0....RA.F.B.A.B.0.D.E.D.C.D.F.C.2.1.F.3.6.4.E.D.0.2.4.6.9.0.4.8.1.A.F.D.C.8.D.3.6.E.1...1../0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0>..+.....7...100....O.S.A.t.t.r........2.:.6...0.,.2.:.6...1...0M..+.....7...1?0=0...+.....7...0...........0!0...+................6N.$i....6.0b..+.....7...1T0R.L.{.C.6.8.9.A.A.B.8.-.8.E.7.8.-.1.1.D.0.-.8.C.4.7.-.0.0.C.0.4.F.C.2.9.5.E.E.}.......0..0V..+.....7....H0F...O.S.......8V.i.s.t.a.X.8.6.,.S.e.r.v.e.r.2.0.0.8.X.8.6.,

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\i386\tap0901.sys (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):34264
                                                                                                                                                                                                                          Entropy (8bit):6.451114076364161
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:nToflu9IisjjMJvOA4hKtbAwut9l/AxkDur/MvBhLwI7PKA+bkxQJ7XakZSZ4dS5:nToBjjOOA4dR/uQvBbuALxQbagPKgzW
                                                                                                                                                                                                                          MD5:EF55CAAABD0E13C304587D941C343F77
                                                                                                                                                                                                                          SHA1:F0E323EF510E00FC925A7FB37C625D077FECA8A3
                                                                                                                                                                                                                          SHA-256:A4E2E4194E15BC93A53FFAB121CCE22CC76EDBC18DFB83132A95F92C9220509F
                                                                                                                                                                                                                          SHA-512:D2C61CCB73C90D26A4D39EBADE87A6F7F23CAA34B29AE14FFA08CA48A32086C6553CA12D38362B6179E82776F3D76F4B05FDD2238B5E7BE4FEEC98A4D8D52573
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........C..."..."..."...J..."...J..."...J..."..."..."...J..."...I..."...I."...I..."..Rich."..................PE..L....z.].................N...................P....@.......................................@A....................................P.......X............d...!.......... R..8...........................XR..@............P...............................text....7.......8.................. ..h.rdata..,....P.......<..............@..H.data........`.......B..............@...PAGE....[....p.......D.............. ..`INIT....T............P.............. ..b.rsrc...X............Z..............@..B.reloc...............`..............@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\i386\tapinstall.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):387400
                                                                                                                                                                                                                          Entropy (8bit):6.458236487570103
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:UTksWxn+v8a7/e3uFm4uy6b1aptMtx1IAOrPdmB4SS4Vw3VTBZiA916NkW:Akska7m3uFm4uy6b10MtxnOrPdmBe3XE
                                                                                                                                                                                                                          MD5:46F33BBA03FF35C0A777B5875E832559
                                                                                                                                                                                                                          SHA1:C4B5487307DB1B715EDA5C233DBD346EF44ABF02
                                                                                                                                                                                                                          SHA-256:72D329B11A240403A74990F7F05CDDA684F53FBFC1E45EE3E565E38000C6FDA1
                                                                                                                                                                                                                          SHA-512:7130F9DEE420D2A377E3CDAE0C47D1F8446E2DA4E021274A15F4FD00583F79C0DBF05819216ABBAAE5493BF1CB1E4FA08EFA673CCDA1BC3A623BAEC828DFC413
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........b...1...1...1..0...1..0{..1..0.1C.0..1C.0.1C.0.1..0...1...1b..1..0...1..p1...1...1...1..0...1Rich...1........PE..L....z.].................<..........`m.......P....@.................................~.....@.....................................x.......................H#.......$......T...........................(...@............P..h............................text....;.......<.................. ..`.rdata..J....P.......@..............@..@.data...l...........................@....rsrc...............................@..@.reloc...$.......&..................@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\driver\windows\i386\uninstall_tap.bat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):142
                                                                                                                                                                                                                          Entropy (8bit):4.838122400792552
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:mKDD2G2FuyPuCkjLoOMXrHt9QVVkUoYmdFwLMiREl32AGN8BvAOA:hiPFvPullYkVVkxYmQLNREVNGN8B6
                                                                                                                                                                                                                          MD5:012961E4DD4402DA78BC174AF09B77F9
                                                                                                                                                                                                                          SHA1:900CA53983FAA217DD134664A9E694138E9A6FDF
                                                                                                                                                                                                                          SHA-256:E7D73C9323599320AFA243DB5313F1A55ADFC34EDE66A4A656CA9172BF3C273D
                                                                                                                                                                                                                          SHA-512:332A6BA6D1923A020DDB36E6E6FA80141B737ECC51EE52EE0D147B85DBC95DD3E97DA20083EAB3F5218DD9F4CA37DA986D35989F251F72C2512A42CBB6B462B9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..echo Removing TAP driver.....tapinstall.exe remove tap0901..echo TAP Driver Uninstall completed successfully!..exit..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\file_selector_windows_plugin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):346512
                                                                                                                                                                                                                          Entropy (8bit):6.253406880555808
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:sQz5UqJwVKCsnOeuj9PDnBQpUZyNVHhl/FPTCgTx:sQ1UqChsnOeMhBaQy9l/FPW0x
                                                                                                                                                                                                                          MD5:9641732F1DB2EAB135130C9128C1427A
                                                                                                                                                                                                                          SHA1:88B0857CFE055A1D920E55B3094116162E4EAA00
                                                                                                                                                                                                                          SHA-256:B47CD11E4089FE0AE8BAF4E05B4CCF19B1DFE403FD392649E9253C05D58F3CBC
                                                                                                                                                                                                                          SHA-512:5C87B26E51771B61FDF87D577781B1FB163527D0F03E74327BC11EA1A24B1B449D4AB23F7393466ED4BAF3809A5151EB30928F462B5FCD55BB8DE4BD733856A8
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..B........................f......f......f..J.............................a......a......aZ.....a.....Rich...........PE..d...r.wf.........." ...(.p...........v...............................................=....`.........................................p...|.......x....`....... ...1...........p..,...PK.......................M..(....J..@............................................text...`o.......p.................. ..`.rdata...V.......X...t..............@..@.data...T8......."..................@....pdata...1... ...2..................@..@.rsrc........`....... ..............@..@.reloc..,....p......."..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\flutter_custom_cursor_plugin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):313744
                                                                                                                                                                                                                          Entropy (8bit):6.2705364965004815
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:7OqwvZdI0CglL0fN5ra4KBb5cSgQkJjMoplVNLQDrkHW:6qwvigF0fN5OB5dgQkBplVNLQDeW
                                                                                                                                                                                                                          MD5:2EEEB7F9DCC44DC28CBFBAF94176CA6F
                                                                                                                                                                                                                          SHA1:65055D6EE4E5A322DB3C74B0EF8CDADECDB32737
                                                                                                                                                                                                                          SHA-256:966DDE59F9ABD125F763A95273BF923C2543A4B9F43F6F0C5587CCA308BD9FFD
                                                                                                                                                                                                                          SHA-512:5919481A1768E9B19CE79ADDDFFC25A6BCDA326232FEB6E61729C2173292F3E2EC7266C646090DCC061A2E9643084583E43947774FDF76842316249B3B2E911F
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@D..%...%...%...U...%...U..%...U...%......%......%.....H%...U...%...Y...%...%..}%.......%.......%....v..%.......%..Rich.%..................PE..d...t.wf.........." ...(.................................................................`.........................................0].......]..P................,..............................................(.......@............0..x............................text...,........................... ..`.rdata..h;...0...<..................@..@.data....7...p.......T..............@....pdata...,...........r..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\flutter_gpu_texture_renderer_plugin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):344464
                                                                                                                                                                                                                          Entropy (8bit):6.268258211828341
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:eyhvW10qILfhXrbR0fkN0addZrKKOYQ9gsYlFtx/pP8fW5:eyhW0qIF10fkNBvgK5QRYlFtxxP8fW5
                                                                                                                                                                                                                          MD5:E6C6C72226677BACF6EC83BEDA63F49D
                                                                                                                                                                                                                          SHA1:C0E75C5A5B9D7C8CD07E80A2BA4D809801EFF649
                                                                                                                                                                                                                          SHA-256:2018F17E324516FC891E5C868E2045970855A3A1521D73F0F6AE12EBF12CFBBA
                                                                                                                                                                                                                          SHA-512:3A52B60711EFB4A34E5FF655E60D51A29C6D4B2CD4561A421A51647D5FCB2C75F1468A8F93C25206EDEBCF259112A4C7DA41F90181FF7E53946E1FFF5FB3F353
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@..!...!...!...Q...!...Q..l!...Q...!.......!.......!......!...Q...!...]...!...!..C!......!......!...~..!......!..Rich.!..........................PE..d...z.wf.........." ...(.l...........e...............................................j....`.........................................0.......8...<....`....... ...2...&.......p.......M.......................O..(....L..@...............x............................text...tj.......l.................. ..`.rdata...Q.......R...p..............@..@.data....=......."..................@....pdata...2... ...4..................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\flutter_windows.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):17983376
                                                                                                                                                                                                                          Entropy (8bit):6.549243204630475
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:98304:2M5ISKnKKu/60i9gzTcriqcN9MX4C7GsIAfiz8xS6RWhi62KFfQWmLu2EkKZ3uNx:xO6ggzLI7op6Rt69L2kuNx
                                                                                                                                                                                                                          MD5:E3E8D995E4A1D5E84EE11DBD58D21F3B
                                                                                                                                                                                                                          SHA1:52E7AFB03DD3F45F7B8839879FEC1ACC7965A62E
                                                                                                                                                                                                                          SHA-256:29782AC1F424865FA1007A5F818F35ABB5307B01C099AAA38067513E516A0454
                                                                                                                                                                                                                          SHA-512:F4FB26D4DC2D91D36FD8F26B9BE6B74F50DF94DE530AFDD8D2D5E9D6D6300B52FB9C6EFBD94A95D630094CE59D5D1AA1B898F810BE8806B7E9DFC5466D312659
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............J..J..J..fJ..J...K..J...K..J...Ko.J...K..J...K..J...K..J...K..J..Jh.J..J..Jr..K..Jr..K..JRich..J........................PE..d...]. f.........." ...".d....=......;....................................................`.........................................0[.......b...............p.......L..................T.......................(...`...@....................Y..`....................text... b.......d.................. ..`.rdata....-.......-..h..............@..@.data................v..............@....pdata.......p......................@..@_RDATA..\............2..............@..@.reloc...............4..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\geek.dxf (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):929318
                                                                                                                                                                                                                          Entropy (8bit):7.900306716974538
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24576:+20deSdhsNk795wZ08KxwK29H7hfnn3MQYa:+20ddsy95WKxwKQnc2
                                                                                                                                                                                                                          MD5:2D1F8BF06610A54B8A61894239012C3B
                                                                                                                                                                                                                          SHA1:98BA3AEC7A32B6BCB264B51364A0A8A664E4FE82
                                                                                                                                                                                                                          SHA-256:8FAFAB1032577F2EDC583C676A9BBFEECF929B5BE22950183C9A77BC2123798B
                                                                                                                                                                                                                          SHA-512:AE9DB2DEA48BFC54274975306FA98921882EA43A590DCF60733B964253C3E9D97BE9CC97F45F18ECCB65802C0EC4599BAFBFF781FE635D6364BD0B657C95655E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:..]r.U..x..F.q...aI..`vkqqNsSLg..b..F.Iq`..o`y.gm.N._a.lJF.D\FpNm.RRYR.b.to.r.mhG.x.._...F.f.WO.nH..l.ldPH.[m..h..r..YX..mq....i.Q....F....H.m..r...N.JY\k.`T..nLx].oqf..........b.hV.m.TWicY.dpV....IE.d.Tjs.^tS..CUW..F....\......r.yrs.C.I.Xcql..c.....qe.K..T.^..q.i.B.NV_...gk..ACuS..n..]..g.O.yX.....u.J^dPj.g.mHP....E]B..h...HtjI.M\.^.cs.H...q...........p.x^..urE...C`..K..h...`i.M.H...^.Pt..S..p...Y.TP...E.M....\...k.S.m.Hu...Q.....juxX.s.gUG..wrAT[.gc..H...V....j.h.kL...Kgd[bMW...EKa.h..jw....D........F..qFC..Q.HFS.Z.L.....h.B.r...`.xqZ..O.bK.I_kEChAWH`.K..b.kqG.k..cw.i..x...d.yC.....R...^[]]\JD.u\v.HM.....p.a.y]ugLa..Dc.f.MSa[^.sV.Z.hWdD..nRr.V..D.h.Zx.D....O.guI]W.f.].qw.y.UPyO..T.Em.eV..p.^L.j.lPh....jMY.g.Vf.K.YHp[grw.kbx..T.V.]SQm..Eg.\...^q...u.gTh..w..wJ...a.bc..b.....gQo..TtjB.TU....eA..QY....V...uf..B.\oh.w.J.D..R.....x..[_.m..wMD.c.Er.D..E_f...Cm.HX].CKb....E..S...H..Dj.d...kNa.^F...s.teH..w......w......Q.i.d.XD..n..S...u....M.OS.....M...rS.E.G.h.R.\U.N.ASoEw.a.B...O`..DO.Ck.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\gymnasium.m4a (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):63258
                                                                                                                                                                                                                          Entropy (8bit):4.638400083452387
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:PcJillRMp5RLRYkKJdcmFT38Q9aSePEUX5:PcJiDRMD9YdtePz5
                                                                                                                                                                                                                          MD5:127A512367895E269AD9922079C47761
                                                                                                                                                                                                                          SHA1:7444878FEF13B7B4FCBE57D2DB2C527A34CA48C5
                                                                                                                                                                                                                          SHA-256:E841508B1B3D7615F17E691334ECB6B1A7F7A83BC531BFF272E85F048AA3DDFD
                                                                                                                                                                                                                          SHA-512:90E486FA09945BCCBD24542C31F832BEC4AA6EAE7D7A1522526018D0AC38CE855F545E1AB7AEFA1B6F7D78E6F0C8333A607E8A9BF1DCFA74E9E4F3B113AFD15F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.c.jPxZ...PF...L.f.Ih..t...[.....O...O.o..l...Y.u.....mZ^P...u.v.l...E...W....f.....d.u...M.J.Nyd.i....uH.o.Jid.E..^..x..x.Z..kfmuexCyd.RD._Cm...]G....jwcu.q[.xx..Vj.bsRP.lh...t..j..s...f.ZgNgGc.....Rdk.sHK..q[jD.S.f.i.aZWv..F.O.tp...Zs.n..S..o..be.....d.^Xe..QpnXhy^..eVU..qwe_...[MZ..MTbS.j..n..u..]y.u.t..J.rcm..`e.y...IF..N\..Wt..uOE.dQ..^b..ksh.q..p.U..aLW.EfqS.H.Lm.p.OA..Sa...EY.vUbN.D.V..KqdWL....pE..Enuj.RG.`.R.s....mV.W.i...nc.a.^.m...hg...a...FGX..J...E`....\Z...U...Q....II..xk.]L.mX]........W.F.X.k.f..^M[.....y.Oj.h.eOk_Dj..QRT..SK`.T..G^..n.t..\N..CR.l...G..p..r..V..NoUZVJH.ld..Y.h..jVT.n..S..poIbY.X`.F.mp.BoZ.rW..Wo..b.TI.].RmK.pY..^..F..gRc..q....v..WGn.......C]g...Qh..\Mq..._.....kXB..HV.I]...D.ZIDW[...K.A..H.Pt..O....xJtu......J....^o..J.....WWY..L.VE........b.....[..oA_.n.ac...MKn..W.Q.maX........s..s..c[...Ij....Mu.ux...tPT.\.[..F..gpAH..mA...U..N...mE..y.\..q.C.gG..o..Kms.LL.P\.....cPDD.g.Y.rJZ.aF.iTA....].S.NL.r...l..]...n.`.]`..G^QQuPhO.DL.k.S_y.hD._..sour.i.wfg..`yI

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-164FL.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):865416
                                                                                                                                                                                                                          Entropy (8bit):6.558002511161394
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24576:dxRZrLEvOx+pFpQlzLyPkET7c5zaSjLUVaoNkUNBKsEpX:dtUmxmpQFLyPkEixWi
                                                                                                                                                                                                                          MD5:A151697A9F14639BFA2CB3E470CEA355
                                                                                                                                                                                                                          SHA1:FA45D614ABFF2ED9A707E3DFC02F404CFC18A89F
                                                                                                                                                                                                                          SHA-256:4794C710A3E624B1A0D956CFE21EC0433FD85BD2D8EB96ACE3F2B5E5302E225C
                                                                                                                                                                                                                          SHA-512:888CFD3919482BB56A15E23A73C868C277CA925EED122327E3399C23D0D647F07B9CD67CCAE28AFD1048A41710DA50126B38E75D7455F56AA95BBECA42D228BF
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........*.w.K.$.K.$.K.$.3.$.K.$.>.%.K.$.$l$.K.$.>.%.K.$.>.%.K.$.>.%.K.$w>.%.K.$w>.%.K.$. .%.K.$. .%.K.$.K.$.I.$w>.%.K.$w>.%.K.$w>n$.K.$w>.%.K.$Rich.K.$................PE..d.....b.........."...........................@....................................q.....`.........................................Pd..P....d..........8....P...^..................................................`...8............................................text.............................. ..`.rdata..^...........................@..@.data...............................@....pdata...^...P...`..................@..@.rsrc...8...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-1EFGP.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):776328
                                                                                                                                                                                                                          Entropy (8bit):6.92032788063544
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:uQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hUk/K:vmCy3VQs9MtLjTgfa3kon9FaOdEukC
                                                                                                                                                                                                                          MD5:6ECA26F16FEB505B1BD0A0A25DA4AEDB
                                                                                                                                                                                                                          SHA1:297A6E0D660FAF9E924B2BE827D9D9DC81E4EB85
                                                                                                                                                                                                                          SHA-256:CD9005B83CAB43E566F287D1BB1A3DE33F2D67AD5013DC5213232A5DC5309BDB
                                                                                                                                                                                                                          SHA-512:78F749E1D591D9AC2C1BB3A47FA7D4099A18303357F990E97D6E531FA50FE2466C8A203504F599C74EE92DFA179CC4AFBC561C60AFD01FA103A3276E79760A46
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x................................m.....@..........................I......D...(............................... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-28E9M.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):68744
                                                                                                                                                                                                                          Entropy (8bit):6.03232541602541
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:OhNHth2MbtFwpJgYCV7JToLDkhqQovzeTJdCK/C1:OhHTbtsRCskcQovzeTJdCK/a
                                                                                                                                                                                                                          MD5:41E94A80206A87D947CE6CF5823494BE
                                                                                                                                                                                                                          SHA1:558214579EE8F2732C36F779E545BA1340191E49
                                                                                                                                                                                                                          SHA-256:E4275E6430AE1EC21A5CD0F2FC382998DEBC1E433A66129527C1B69792F09F95
                                                                                                                                                                                                                          SHA-512:54B0DD18BA43C48B3FC21E4366D7D1DC65147A84AFA3DC29D94C4CF80B49FA67150B8303F576683F712E648CAFF516BFEA3A6F93435D6B33DCAB2C43BC762E35
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z..h...h...h.......h......h......h......h......h......h.......h...h..ih.......h.......h...h...h.......h..Rich.h..........PE..d.....b.........."......r...|.......v.........@.............................@............`.................................................x...T.... .......................0..p...................................@...8............................................text....p.......r.................. ..`.rdata...W.......X...v..............@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..p....0......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-3J4SO.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):323472
                                                                                                                                                                                                                          Entropy (8bit):6.260791393809843
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:xadPqy3/nKyWFZS3PCmxiVvUTiJ+1I2hWHlHTkPXdxs4:wqyAA3PCmwV8i41I2gHlHTkvdW4
                                                                                                                                                                                                                          MD5:128D06B8C5739F35A7C76A76BF1E6149
                                                                                                                                                                                                                          SHA1:901F9698BF4C4A10E8E902E6DBDDF1782E1067D0
                                                                                                                                                                                                                          SHA-256:BF585DBC4E4DCE47F9EFDEEAD15F67A69644CE6F1177CEEC518882DC85ECC096
                                                                                                                                                                                                                          SHA-512:ECE9254486347751D6F68AE86AFB36508FED81B00C4588F555DB584A0E9DE5F4710A24E6BB5B2B19A25BEE20AA4BF90068F9EB2E37B48271614B6C97199E419C
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x.........................Y...........>w......>w......>w..............<...........u....p.......p.......p......p......Rich............................PE..d...Y.wf.........." ...(.............5....................................... ............`..........................................t......0u..<...............L/..................P...........................(.......@............@..P............................text...0,.......................... ..`.rdata...B...@...D...2..............@..@.data...X6....... ...v..............@....pdata..L/.......0..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-56J26.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):27784
                                                                                                                                                                                                                          Entropy (8bit):6.488306745612165
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:YVfdXePAee0fxvSDv2atBymU+DpbGEgivBpnpwK3CrFqa2S0FP27NBYearrDVY:afdXfOvObbU+Nb5RgrFq7rK/YfrDS
                                                                                                                                                                                                                          MD5:41C55E2A9D5D9B23C08E3DC067780DC7
                                                                                                                                                                                                                          SHA1:1FB62C7FCF24F604676896121C1CCAFB628C1BE1
                                                                                                                                                                                                                          SHA-256:D76995DCE5A5A3B0D77ABB438C14504F9825A6BC98676F1BA8D0CC18CEBB0545
                                                                                                                                                                                                                          SHA-512:396E8878BAFCFC0DF994B9AF23176D343230B6F6EE82A71E14EFA56347EF0C63B4D277C029EF9FB3EF69D6F1B8AE73ECF92D8DCEDC9312E0C8BFA86EC0B611D2
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7X.................6...........T... ...`....@.. ....................................@..................................T..K....`...............>............................................................... ............... ..H............text....4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B.................T......H........1..."..........|0..p...........................................6.(.....(....*...0..S............(....o.....s.......o....s.......o......o.........&..o............9.....o.....*.......#..6........../E.......0..E............(....o.....s.......o....s.......o.........&........9.....o.....*.........#../..........!7.......0..M.......~....s......o.....;.....o......#......$@(....o.........&........9.....o.....*...........,7..........4?.......0..M.......~....s......o.....;.....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-6P3FR.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):256912
                                                                                                                                                                                                                          Entropy (8bit):6.232383775712062
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:WEq38uejOBA0ItZ1PNWPQqLlXXXXVXDBsXdZC/R0EjW0VnXNvdroJ:/q0jOBARWPRLlXXXXVXSXdZk0EjW0VnM
                                                                                                                                                                                                                          MD5:850A43E323656B86AE665D8B4FD71369
                                                                                                                                                                                                                          SHA1:099D6E80C394CCC5233E1CBD6B29769DA9E0E2AA
                                                                                                                                                                                                                          SHA-256:539423D2E436E198DF15B5577D816DC306BA4C03B1362F7731E675B51F4A5F42
                                                                                                                                                                                                                          SHA-512:1F2778040E906EA2939A8B0A682E267599AA8422F81EA83BB6C980A304B569AD750EF3E81E1490EDD5B1D74E734A2CB82F428F47096C55436037E03E516D2378
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3...3...3......6..........u..9....u..#....u..`......"......;......1... r..$...3...... r..:... r&.2...3.N.2... r..2...Rich3...........PE..d.....wf.........."....(.Z.....................@.............................0......#.....`.................................................Tq..T....... ........%........... .......#.......................%..(...`"..@............p.. ............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data....0...........v..............@....pdata...%.......&..................@..@.rsrc... ...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-6VF2K.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):397712
                                                                                                                                                                                                                          Entropy (8bit):6.40156340476818
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:ThaEhq4cY0f8IlE6BZR2nUx9lYOUgLZUrd:T4EhqR5lE6xSUx9lYOUg6rd
                                                                                                                                                                                                                          MD5:42C063882FD7CEDD3CC62356450D8987
                                                                                                                                                                                                                          SHA1:A09DB77F70A6F7D7C59418FC08250A8E13E8A60D
                                                                                                                                                                                                                          SHA-256:37D1EBFC8F423BF02DEC598C6421E4124C8C5666C27782180D84003039E88DFF
                                                                                                                                                                                                                          SHA-512:77AC9C670F91059B2CAA12DA9B5417CD71D525F900B7DDA51FFCF499AA2882734B342F6803814C6FDE1B527C9742ED9CF67AB1EE8D141CB437B57C979D89B456
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q{.?...l...l...l.j.m...l.j.m...l.j.m...l..m...l..m...l..mY..l.j.m...l.f.m...l...m...l...l...l...m...l...m...l..zl...l...l...l...m...lRich...l........PE..d...j.wf.........." ...(.....L......l........................................0......E.....`..........................................*......x+..........h[.......3........... ..`...............................(...p...@............................................text...|........................... ..`.rdata...o.......p..................@..@.data....?...@...(...2..............@....pdata...3.......4...Z..............@..@.rsrc...h[.......\..................@..@.reloc..`.... ......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-7E4EB.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8184456
                                                                                                                                                                                                                          Entropy (8bit):6.15917051663501
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:98304:AD3K0YyOAYcd0ZLpNu6JmM1W8YcTpOG7ZE78O:ALzUwsFYc9OG7ZE78O
                                                                                                                                                                                                                          MD5:5850A25689FA1B36CD6B76E2E7F6BDB3
                                                                                                                                                                                                                          SHA1:299CEBD4CD448239BF5094DCC0632100287C0B85
                                                                                                                                                                                                                          SHA-256:803870B4FCC1A8C0675EE1D5AA5DEB4132514974CDF0F8F7BA40035377FFDCFA
                                                                                                                                                                                                                          SHA-512:F64A196D0FE937112604D7B0CFE2099928987ECEAA650728C88ECE9BAEF288AF2E4BCDD52D3199D8787290F5071287DAFA5DC6FD44775E52CA1E04237411888F
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: C:\Program Files\FastestVPN\Resources\is-7E4EB.tmp, Author: Joe Security
                                                                                                                                                                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: C:\Program Files\FastestVPN\Resources\is-7E4EB.tmp, Author: ditekSHen
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........].......".......'..........=........@.......................................}...`... ...............................................c.|.... d.t.............|...... c.....................................................`SY.@............................text.....'.......'................. ..`.rdata..PC1...(..D1...'.............@..@.data... ....PY......0Y.............@....idata..|.....c.......\.............@....reloc....... c.......\.............@..B.symtab.......d.......]................B.rsrc...t.... d.......].............@..@........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-7ILAT.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):17983376
                                                                                                                                                                                                                          Entropy (8bit):6.549243204630475
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:98304:2M5ISKnKKu/60i9gzTcriqcN9MX4C7GsIAfiz8xS6RWhi62KFfQWmLu2EkKZ3uNx:xO6ggzLI7op6Rt69L2kuNx
                                                                                                                                                                                                                          MD5:E3E8D995E4A1D5E84EE11DBD58D21F3B
                                                                                                                                                                                                                          SHA1:52E7AFB03DD3F45F7B8839879FEC1ACC7965A62E
                                                                                                                                                                                                                          SHA-256:29782AC1F424865FA1007A5F818F35ABB5307B01C099AAA38067513E516A0454
                                                                                                                                                                                                                          SHA-512:F4FB26D4DC2D91D36FD8F26B9BE6B74F50DF94DE530AFDD8D2D5E9D6D6300B52FB9C6EFBD94A95D630094CE59D5D1AA1B898F810BE8806B7E9DFC5466D312659
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............J..J..J..fJ..J...K..J...K..J...Ko.J...K..J...K..J...K..J...K..J..Jh.J..J..Jr..K..Jr..K..JRich..J........................PE..d...]. f.........." ...".d....=......;....................................................`.........................................0[.......b...............p.......L..................T.......................(...`...@....................Y..`....................text... b.......d.................. ..`.rdata....-.......-..h..............@..@.data................v..............@....pdata.......p......................@..@_RDATA..\............2..............@..@.reloc...............4..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-83O8B.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):323472
                                                                                                                                                                                                                          Entropy (8bit):6.24323878406639
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:aK/qrBUA8kikYQQ2sXvNnot1bdNtb1lHSdrkjoE:a8qC5kikpQX1ny1bdv1lHSdYjoE
                                                                                                                                                                                                                          MD5:BFEC2012B6589D4496EA0283E90A5269
                                                                                                                                                                                                                          SHA1:813E3FAD5CFE4A30E20F05080D106811C5544FA3
                                                                                                                                                                                                                          SHA-256:F9406ECAA9C86F2946F8B9D997F0210F1F5EE974BE6548D1DB039014D1B45552
                                                                                                                                                                                                                          SHA-512:396F28EB15ED793DB453CD3B3E9118F4386FE24A75E3F3914E881CCA3ADA8918B98751BDAC51C4A5E897CCA1E700B2A545686463A6B0DD6719EA172682CFB928
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`&..$Gt.$Gt.$Gt..7w.!Gt..7q.Gt..7p.4Gt...w..Gt...p.*Gt...q.iGt..7u."Gt..;u.'Gt.$Gu.\Gt.7.q.#Gt.7.t.%Gt.7..%Gt.7.v.%Gt.Rich$Gt.........PE..d...^.wf.........." ...(.*................................................... .......7....`.........................................@x..|....x..d...............P...............................................(.......@............@..x............................text...@).......*.................. ..`.rdata...F...@...H..................@..@.data....6....... ...v..............@....pdata..P........0..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-8JVLF.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):3490952
                                                                                                                                                                                                                          Entropy (8bit):6.105770368598401
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:+VwASO4GIU6injGtlqBGqgOtUyrQ8SFJnofeT5W7aTNP6nZsi61o1CPwDv3uFfJe:xB+btBQQ7UQnZsY1CPwDv3uFfJe
                                                                                                                                                                                                                          MD5:474D774A60BCBDBB326C248D1B86C785
                                                                                                                                                                                                                          SHA1:C8611E2BEA720BB3B8768BB7F347DE04EAB8B00D
                                                                                                                                                                                                                          SHA-256:4FB11C716E57A352D0C40B83F00B73A23B16F4418247AFB0E8CA114C20ED7414
                                                                                                                                                                                                                          SHA-512:D25EFAE915E303AB98F86A3131E5C128BFFB0FEE7317C2F28D7A9C9836186C46FDB64008BE98EBF1B7C97F809AD4A170929583B5B899427C405C90503D3D39E0
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.Q.5.?.5.?.5.?.<..'.?.g.>.7.?.g.:.>.?.g.;.=.?.g.<.1.?.!.>.8.?.5.>.?.5.?.+.?...;.N.?...?.4.?.....4.?...=.4.?.Rich5.?.........................PE..d...g..b.........." .....p%...................................................5.......5...`...........................................0..h....4.T.....5.|.....3.......5...... 5..P..T.-.8.............................-.8.............4..............................text....o%......p%................. ..`.rdata........%......t%.............@..@.data....~....2..0...t2.............@....pdata........3.......2.............@..@.idata..T'....4..(...h4.............@..@.00cfg..Q.....5.......4.............@..@.rsrc...|.....5.......4.............@..@.reloc...z... 5..|....4.............@..B................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-8LAO7.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):589712
                                                                                                                                                                                                                          Entropy (8bit):6.371606969587959
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:Qnu0YqCbnvh0xDqjFR0NdzhdkPJZIR0vnrXkcc9VNLqYWTF:Qu0YqInZCD7mZI0vnrPc9VNLqYWB
                                                                                                                                                                                                                          MD5:EAB165F7A1856FC4FC191416A26F20F3
                                                                                                                                                                                                                          SHA1:3E3BAAA9A8AE20680D4B347A3A65E4A388DC0F4D
                                                                                                                                                                                                                          SHA-256:A2C87DFE4D43C7CC8AC44F2AC43BD45EC4F3F6BA87A2C73AE8B55F26286600E9
                                                                                                                                                                                                                          SHA-512:897E0F107BEB1FCC6402183C535F2550E954B379451415E8B40403D0575EFA6E1D1373F9F0B9A0649AB09515259490C7BFB9E9926F76735EE513F68460FB5143
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:q..T"..T"..T"..W#..T"..Q#W.T"7MW#..T"7MP#..T"7MQ#..T"..P#..T"..U#..T"5.U#..T"..U"T.T".JQ#..T".JT#..T".J."..T".JV#..T"Rich..T"................PE..d.....wf.........." ...(.....P.......8.......................................@............`..........................................\..x...8]....... ..........tF...........0......@...........................(.......@............................................text............................... ..`.rdata..2...........................@..@.data....C.......,...^..............@....pdata..tF.......H..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-942TQ.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):42120
                                                                                                                                                                                                                          Entropy (8bit):6.157445136592099
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:tFRn6+bvfApVjLj1mFU6rrFqyO9K/Yfryu:tFFepV3j1mm6/pO9K/COu
                                                                                                                                                                                                                          MD5:F6AFD5499FCC5D464085AD889BAE09B7
                                                                                                                                                                                                                          SHA1:287C540655FCED0C09DDA2D9C4EADD3F3E210B17
                                                                                                                                                                                                                          SHA-256:6EDA54D746C092A45395399319DFC878E5674C84FAB8147821524A0042C03F47
                                                                                                                                                                                                                          SHA-512:BFD5ED90D0F16A2F0BCC22B0E847D5781A7B11D6912A51CDC8FCAAD80BF191D821418F7544BF52BF6E1AAA47D06A5442601543E9C25B2352D4E23AFC0C4668F9
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kT../5../5../5..&M<.#5..}@..-5..}@..=5..}@..%5..}@..,5..;^..$5../5..p5...@..,5...@P..5...@...5..Rich/5..........PE..d.....b.........."......0...H.......4.........@....................................e.....`.................................................4g..........@............v..........8...P]...............................]..8............@...............................text..../.......0.................. ..`.rdata...3...@...4...4..............@..@.data...H............h..............@....pdata...............j..............@..@.rsrc...@............n..............@..@.reloc..8............t..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-9JICR.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):344464
                                                                                                                                                                                                                          Entropy (8bit):6.268258211828341
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:eyhvW10qILfhXrbR0fkN0addZrKKOYQ9gsYlFtx/pP8fW5:eyhW0qIF10fkNBvgK5QRYlFtxxP8fW5
                                                                                                                                                                                                                          MD5:E6C6C72226677BACF6EC83BEDA63F49D
                                                                                                                                                                                                                          SHA1:C0E75C5A5B9D7C8CD07E80A2BA4D809801EFF649
                                                                                                                                                                                                                          SHA-256:2018F17E324516FC891E5C868E2045970855A3A1521D73F0F6AE12EBF12CFBBA
                                                                                                                                                                                                                          SHA-512:3A52B60711EFB4A34E5FF655E60D51A29C6D4B2CD4561A421A51647D5FCB2C75F1468A8F93C25206EDEBCF259112A4C7DA41F90181FF7E53946E1FFF5FB3F353
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@..!...!...!...Q...!...Q..l!...Q...!.......!.......!......!...Q...!...]...!...!..C!......!......!...~..!......!..Rich.!..........................PE..d...z.wf.........." ...(.l...........e...............................................j....`.........................................0.......8...<....`....... ...2...&.......p.......M.......................O..(....L..@...............x............................text...tj.......l.................. ..`.rdata...Q.......R...p..............@..@.data....=......."..................@....pdata...2... ...4..................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-B80D1.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):94856
                                                                                                                                                                                                                          Entropy (8bit):5.499392443352034
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:RmYSYxGfIZnRnD6M7EFOUakPhtUn6KXF4O7Wm1xK/CpcW:QYFZnRDGdvPXU6K1RWmPK/4h
                                                                                                                                                                                                                          MD5:834EE5DA601A6C78C43C64F6C282682F
                                                                                                                                                                                                                          SHA1:03920B402B787CA53CD79A66B0B611C899B91F3E
                                                                                                                                                                                                                          SHA-256:754B61DA108CC9379585E18DDCE90A8092C1B17DA5D922A6E8D6CE84A90B0F87
                                                                                                                                                                                                                          SHA-512:C4A6A49D1EE316FB9EA399487EA17DD813C0A611F473F4FD054D07F6D5C6BB786D40FA478254A499DB3E1D5F0AFDA3B72651EF097945D0C3AA9F0D83D9C0ED06
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V........-.....;......<.......+....%......S....%......2....~......,.....)...Rich..........PE..d...<..W..........".................Tv..............................................I.....@.......... ..................................................h.......l....D.......p..........................................................X............................text............................... ..`.data...............................@....pdata..l...........................@..@.rsrc...h...........................@..@.reloc..z....p.......B..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-CK5KH.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):929318
                                                                                                                                                                                                                          Entropy (8bit):7.900306716974538
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24576:+20deSdhsNk795wZ08KxwK29H7hfnn3MQYa:+20ddsy95WKxwKQnc2
                                                                                                                                                                                                                          MD5:2D1F8BF06610A54B8A61894239012C3B
                                                                                                                                                                                                                          SHA1:98BA3AEC7A32B6BCB264B51364A0A8A664E4FE82
                                                                                                                                                                                                                          SHA-256:8FAFAB1032577F2EDC583C676A9BBFEECF929B5BE22950183C9A77BC2123798B
                                                                                                                                                                                                                          SHA-512:AE9DB2DEA48BFC54274975306FA98921882EA43A590DCF60733B964253C3E9D97BE9CC97F45F18ECCB65802C0EC4599BAFBFF781FE635D6364BD0B657C95655E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:..]r.U..x..F.q...aI..`vkqqNsSLg..b..F.Iq`..o`y.gm.N._a.lJF.D\FpNm.RRYR.b.to.r.mhG.x.._...F.f.WO.nH..l.ldPH.[m..h..r..YX..mq....i.Q....F....H.m..r...N.JY\k.`T..nLx].oqf..........b.hV.m.TWicY.dpV....IE.d.Tjs.^tS..CUW..F....\......r.yrs.C.I.Xcql..c.....qe.K..T.^..q.i.B.NV_...gk..ACuS..n..]..g.O.yX.....u.J^dPj.g.mHP....E]B..h...HtjI.M\.^.cs.H...q...........p.x^..urE...C`..K..h...`i.M.H...^.Pt..S..p...Y.TP...E.M....\...k.S.m.Hu...Q.....juxX.s.gUG..wrAT[.gc..H...V....j.h.kL...Kgd[bMW...EKa.h..jw....D........F..qFC..Q.HFS.Z.L.....h.B.r...`.xqZ..O.bK.I_kEChAWH`.K..b.kqG.k..cw.i..x...d.yC.....R...^[]]\JD.u\v.HM.....p.a.y]ugLa..Dc.f.MSa[^.sV.Z.hWdD..nRr.V..D.h.Zx.D....O.guI]W.f.].qw.y.UPyO..T.Em.eV..p.^L.j.lPh....jMY.g.Vf.K.YHp[grw.kbx..T.V.]SQm..Eg.\...^q...u.gTh..w..wJ...a.bc..b.....gQo..TtjB.TU....eA..QY....V...uf..B.\oh.w.J.D..R.....x..[_.m..wMD.c.Er.D..E_f...Cm.HX].CKb....E..S...H..Dj.d...kNa.^F...s.teH..w......w......Q.i.d.XD..n..S...u....M.OS.....M...rS.E.G.h.R.\U.N.ASoEw.a.B...O`..DO.Ck.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-DN2OR.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2276496
                                                                                                                                                                                                                          Entropy (8bit):6.2839627604807955
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:sqrGLY4rzqgpJdli4OLz1/SK1ULLnLWdaqTv6akDCbpCX464lnbW148y1PuDT5Wg:sqr0Y4rugpJdli4OLz1/SK1ULLLWdaq8
                                                                                                                                                                                                                          MD5:A928351F9555A07B7A8DCEA6B209D367
                                                                                                                                                                                                                          SHA1:66379948FB082D9EB390B77C4E00EFAD25062C9C
                                                                                                                                                                                                                          SHA-256:8993C69DAA63314019E3D33190140ACAC23704D20AB3BDF946B41969DD23B0A7
                                                                                                                                                                                                                          SHA-512:099DAD1E89474F449EF9EA35CC93C2C8A643AF9108FD38FFB7B748FE93F0A25553B135AC6C6E33EDB8B1AD55687CDF182C6FA3E2D5018110D0500C3E2CA35EEA
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$.Y.p...<.....!.............0................(c.........................@........"...@... .........................A....P..........@.............".....................................p.......................R..h............................text...............................`.p`.data...|d.......f..................@.`..rdata..T............d..............@.`@.bss.........`........................`..edata..A............B..............@.0@.idata.......P......................@.0..CRT....,....`......................@.0..tls.... ....p......................@.0..rsrc...@...........................@.0..reloc.............................@.0B/4...........@......................@..B/19......i...P...j..................@..B/31..................,..............@..B/45..................@..............@..B/57..................R..............@.0B/70.....2............Z..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-FJOGB.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):93832
                                                                                                                                                                                                                          Entropy (8bit):5.485112927422894
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:fP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7WGkK/CH8:fePOYe4bu1epDh8RWGkK/b
                                                                                                                                                                                                                          MD5:8E7EE7C3876683902475753519681407
                                                                                                                                                                                                                          SHA1:75FACB7F9C59B284F97956E799E57FB0F606C49D
                                                                                                                                                                                                                          SHA-256:6D5041A8EF796C66BA151D8FCFAFDD96BCAA99B57D2777897FD25A87A5E41E13
                                                                                                                                                                                                                          SHA-512:523EBF3A4DF9F6D299E72079DEF0A0DA9127601796D9AA613B70AD2F66EE2166F4F8F75083F47E67FFFD892A09FA437F3B12BD1B27065200E90F8617E3E83727
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p............@.......... ......................................X}..........p.......T....@.......`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-G9QJE.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):277
                                                                                                                                                                                                                          Entropy (8bit):5.0491979415178765
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:ShdEdI5KGdXrSwCoXV+hn5A59eT5U+hLQsPti5FtEEs6EsctB6WEsF2WEsF+v:6dEKwGxOsw7BB6S2zv
                                                                                                                                                                                                                          MD5:C8768E552ABCA40175C704E4AF1F030C
                                                                                                                                                                                                                          SHA1:7B8A3BC3310EE72006FD2C5A4D5F4FC60171C81B
                                                                                                                                                                                                                          SHA-256:50259EEA13E0A9CB0AC48181F8F4345E6558EE8536CC71D0F6E2F63AE9D89D33
                                                                                                                                                                                                                          SHA-512:09FD06DB34894F1EC79B607217DC70E204793E04C58B846DC495DC915F38C1311AC1EE0D3C5CCDE636D8A3D6CE5631EF7291D3617FB3F900FD072CEA5831B573
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:OpenVPN STATISTICS..Updated,2023-09-03 07:45:36..TUN/TAP read bytes,1979..TUN/TAP write bytes,9103..TCP/UDP read bytes,15521..TCP/UDP write bytes,5150..Auth read bytes,9103..pre-compress bytes,0..post-compress bytes,0..pre-decompress bytes,204..post-decompress bytes,213..END..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-J64KK.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):543632
                                                                                                                                                                                                                          Entropy (8bit):6.3781262731970685
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:zqzF5VH24Jy+0PeZOYbxobw+QY0heC9lVNLETyoK:zqh32SRoc+QY0n9lVNLETbK
                                                                                                                                                                                                                          MD5:94267176E212B8EBFF06728CC6C3F432
                                                                                                                                                                                                                          SHA1:F65313083C2B3177F405B7AB884BA0A9BE3251D9
                                                                                                                                                                                                                          SHA-256:08D08CBFA4D5531CEEE16BFCB2255EDA79C5B7F7C0894C4E6F49F673457AB362
                                                                                                                                                                                                                          SHA-512:014459C9D3DBE7C09E0D6DB085CE9F715248BA6D784845339B2D6896A8BA7B680C93E707D4990350E30C8853A95FD0DC6F8E9244643787DB65AB8A2F95C26967
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W..6..6..6..XF..6..XF...6..XF..6......6......6.......6..XF..6..}J..6..6...6.....6.....6...O.6.....6..Rich.6..........PE..d...~.wf.........." ...(.....4......L.....................................................`.........................................p...........d....p....... ...B...0..........................................(...p...@............0...............................text............................... ..`.rdata.......0......................@..@.data....J.......2..................@....pdata...B... ...D..................@..@.rsrc........p......................@..@.reloc............... ..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-KM19Q.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):539536
                                                                                                                                                                                                                          Entropy (8bit):6.374120901700144
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:F2qV/eGvVJVbhqs7MRkPXpaCLz9gS+f/9VNtP8zC:F2q9rVJeMp1Lz9gj/9VNtP8zC
                                                                                                                                                                                                                          MD5:7024D49DF9315B5718F40FCD29A8656F
                                                                                                                                                                                                                          SHA1:EF243D1EC09F2FB714459D596F40A87B5B51C054
                                                                                                                                                                                                                          SHA-256:51877E41297AE94FE33D01D980717AE18938A3E81A32C57ADC77D754EF7E66BE
                                                                                                                                                                                                                          SHA-512:D9B7661B923B45020641F80A4695079A86F92848A022C8374C9339258A3F63D628000628CF75163B7C707A8506BB4D4928A1EA75E09FA6416EB9A2150EB5B705
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k....m...m...m..zn...m..zh._.m..zi...m.?.n...m.?.i...m.?.h...m..zl...m.=vl...m...l.}.m..h...m..m...m.....m..o...m.Rich..m.........................PE..d...`.wf.........." ...(.....&......<........................................p.......N....`.........................................P...p.......P....P..........<B... .......`..\...P...........................(.......@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data....B.......*..................@....pdata..<B.......D..................@..@.rsrc........P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-LOLBQ.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):359
                                                                                                                                                                                                                          Entropy (8bit):5.09733291062762
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:i4Z2TyUdkl9WUyUdkwc1+XMoHkyUdk3LASg0TqeXMFXA98XfFZ/FvjCzISMOmEm:jZELklIULktkXxELk35q0MhA98vFZ/FV
                                                                                                                                                                                                                          MD5:777B3CBF81DDD8B238BDEDDDEA17AFED
                                                                                                                                                                                                                          SHA1:C72F46715DCBC9BDA1E2BEEAC8AF2A64E7B48D08
                                                                                                                                                                                                                          SHA-256:DACE14B4A5268728E67A9E78D8F0877F4C87F6B87DDD40DFF28A11E9E42945CF
                                                                                                                                                                                                                          SHA-512:5C6D302F93381EBF65ADD3DAA0EB4813270C5D9A042AD9B8A48A575ADC4E751D3834292BB61AEF6A5458036AE6E3C83C8EDFAE5CF828D81317ACAE6675B8E619
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))..{ ..$arguments = "& '" + $myinvocation.mycommand.definition + "'"..Start-Process powershell -Verb runAs -ArgumentList $arguments..Break..}.. Set-NetConnectionProfile -NetworkCategory Private

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-N1V1C.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):89736
                                                                                                                                                                                                                          Entropy (8bit):5.522767465825831
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:3urhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkAzrF9:w+KY04RMmSCYmBiF4O7WTn8K/CI
                                                                                                                                                                                                                          MD5:2CC3AC572A2170108BABD019F0BFE779
                                                                                                                                                                                                                          SHA1:AF962245CE32D5801A380FF7F6B8C87AC7772AB2
                                                                                                                                                                                                                          SHA-256:755315DFCC9C72CBE4EB33AF34E9AAC0BD1324C6942F4B56AD9FE0135E1A9299
                                                                                                                                                                                                                          SHA-512:891D545DDF35BF8C650FE8EB48A5E5F6F7C50036E42BE893417AF2EF886EB37C5BEEE9DD838A8F020728E4BAE803F2753CC8F6DD7958DD31B5B39DAED7EF464B
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P......0a....@...... ..........................lm..........p............0.......@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-O73C0.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):700040
                                                                                                                                                                                                                          Entropy (8bit):5.552155208041958
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:UB4x/cH7gueaxFi00ZoPqETRzRnYhUpfakLaugPoDhTMY98c8mvVfU2lvzpi/O:avziRZoXuugCtD8JmvNU2lvzpiG
                                                                                                                                                                                                                          MD5:6EE5C92E2918B27974086A6F24D79043
                                                                                                                                                                                                                          SHA1:40595B75A513BBF1BE16780784E13EFDAD2E40C7
                                                                                                                                                                                                                          SHA-256:86F3A19221C710CFF12607FEB00D8CD0AF932873430AD1B59C990593010EC3CF
                                                                                                                                                                                                                          SHA-512:F07BBE5D367D6F7474E08507F3827BDCAC5503673F2027CA139303FA573F4EEB7D82A9D88EE0F3291F53629C0644B39E2C81380B45F8E2A286FFCC326AE0E4B7
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............]...]...]..M]...]..\...]...\...]..\...]..\...]..\...]H..\...]...]o..]H..\...]H..\...]H.!]...]H..\...]Rich...]........PE..d...g..b.........." .....:...L......<.....................................................`..........................................+...N..@E..........s........L..............h.......8...........................@...8............0..@............................text....8.......:.................. ..`.rdata...)...P...*...>..............@..@.data...QM.......D...h..............@....pdata...T.......V..................@..@.idata..*W...0...X..................@..@.00cfg..Q............Z..............@..@.rsrc...s............\..............@..@.reloc..]............d..............@..B................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-O850J.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):321936
                                                                                                                                                                                                                          Entropy (8bit):6.249416182192696
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:49C2dRHqGR0N9BdVLATWWFQEDyhNSDEAIjUoMfqC9ulMdUBIKL:Z2dRHqGRyhAT9FxoSIAIx/C9ulMe2KL
                                                                                                                                                                                                                          MD5:5C1752EF16C7E3B28D9662E3C08FB08F
                                                                                                                                                                                                                          SHA1:4B3F3BE508D4C6CD8374FBB812EE30E99F8128C0
                                                                                                                                                                                                                          SHA-256:1BF45DF354D53D400EAF644E205DADDB0C07B408EB0C03D8CCFF765BD6659FB3
                                                                                                                                                                                                                          SHA-512:296F8AA642527C3A2364B9FA0E1C9F3EE3B7AD6F82D51685F71601F4E4A0E5DA5327FF1E1884F6264E7961417D54028B4E9BBE1B836968FF0F9D6685EBEE0327
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 62%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z.H.;...;...;..6K...;..6K..q;.......;.......;.......;..6K...;..6K...;...G...;...;...;.......;.......;....p..;.......;..Rich.;..........................PE..d...O.wf.........." ...(.*...........0....................................... ......h1....`..........................................t..t...Du..x................-..............................................(.......@............@...............................text...,(.......*.................. ..`.rdata..rC...@...D..................@..@.data...x7....... ...r..............@....pdata...-..........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-PA9AI.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):113800
                                                                                                                                                                                                                          Entropy (8bit):6.497871168162335
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:NADrSog8rBPCmGxRmZZlfzaag8fPrZyEOE9toSK/G:qDl9PQTmZ53rZyEOE92L/G
                                                                                                                                                                                                                          MD5:C966B6A5F0143199FF16F8E491E2B44D
                                                                                                                                                                                                                          SHA1:A47ECE66964E5432551E782EC53EBFEA42845256
                                                                                                                                                                                                                          SHA-256:EA7E53C74D1E66FB0363A16DCCB2B893183937BF4A69770EA44D6BCD6C1A15D6
                                                                                                                                                                                                                          SHA-512:54292A35794B0E147BDCDE724D7101FEDD499F5799175545C5E2BB4362D6387B713EBF511EBF25B4D7E41086073E167524C401936623BB3AE8E337E3D5ADE5CF
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........hw...........q......|......|......|......|.....P|.....b............P|.....P|.....P|.....P|.....Rich............PE..d......b.........." ................................................................."....`..........................................p.......}.......................................Y...............................Z..8............................................text............................... ..`.rdata..z...........................@..@.data...(............t..............@....pdata...............v..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-PN3F9.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):313744
                                                                                                                                                                                                                          Entropy (8bit):6.2705364965004815
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:7OqwvZdI0CglL0fN5ra4KBb5cSgQkJjMoplVNLQDrkHW:6qwvigF0fN5OB5dgQkBplVNLQDeW
                                                                                                                                                                                                                          MD5:2EEEB7F9DCC44DC28CBFBAF94176CA6F
                                                                                                                                                                                                                          SHA1:65055D6EE4E5A322DB3C74B0EF8CDADECDB32737
                                                                                                                                                                                                                          SHA-256:966DDE59F9ABD125F763A95273BF923C2543A4B9F43F6F0C5587CCA308BD9FFD
                                                                                                                                                                                                                          SHA-512:5919481A1768E9B19CE79ADDDFFC25A6BCDA326232FEB6E61729C2173292F3E2EC7266C646090DCC061A2E9643084583E43947774FDF76842316249B3B2E911F
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@D..%...%...%...U...%...U..%...U...%......%......%.....H%...U...%...Y...%...%..}%.......%.......%....v..%.......%..Rich.%..................PE..d...t.wf.........." ...(.................................................................`.........................................0].......]..P................,..............................................(.......@............0..x............................text...,........................... ..`.rdata..h;...0...<..................@..@.data....7...p.......T..............@....pdata...,...........r..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-Q54OD.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):244360
                                                                                                                                                                                                                          Entropy (8bit):6.534833630270433
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:lE2PcqwWvsYJlWewlEyDFINgMjY/fVYPCtmA+KiA/R:lE+1JYVEgFugMjXP/A0A/R
                                                                                                                                                                                                                          MD5:92CAE75041DFA888EE8284E7C6BB658E
                                                                                                                                                                                                                          SHA1:2632FD77EAEDC09977192CFAA19EAEE66F538041
                                                                                                                                                                                                                          SHA-256:ACEB2DBBA3948EF0D2908CAE3B2E1586AC82B700C1DE7E6420FA241EFBBB0ECB
                                                                                                                                                                                                                          SHA-512:F01AC04FBD3EA1FD4D39D7654DF7D97EB15D60BC9EDFDF36C92176CF8A66FC148E4ECA480F52B7283AF1B9966983F4275A4E221E2D73056A7F3F4290C4D85C17
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R."K...........#...8............`..............k................................Ub........ ......................P.. ....p...$...................................................................................................................text...t...........................`.P`.data...0%.......&..................@.`..rdata..x^.......`..................@.`@.bss.........@........................@..edata.. ....P.......*..............@.0@.idata...$...p...&...H..............@.0..reloc...............n..............@.0B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-Q6LK1.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):346512
                                                                                                                                                                                                                          Entropy (8bit):6.253406880555808
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:sQz5UqJwVKCsnOeuj9PDnBQpUZyNVHhl/FPTCgTx:sQ1UqChsnOeMhBaQy9l/FPW0x
                                                                                                                                                                                                                          MD5:9641732F1DB2EAB135130C9128C1427A
                                                                                                                                                                                                                          SHA1:88B0857CFE055A1D920E55B3094116162E4EAA00
                                                                                                                                                                                                                          SHA-256:B47CD11E4089FE0AE8BAF4E05B4CCF19B1DFE403FD392649E9253C05D58F3CBC
                                                                                                                                                                                                                          SHA-512:5C87B26E51771B61FDF87D577781B1FB163527D0F03E74327BC11EA1A24B1B449D4AB23F7393466ED4BAF3809A5151EB30928F462B5FCD55BB8DE4BD733856A8
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..B........................f......f......f..J.............................a......a......aZ.....a.....Rich...........PE..d...r.wf.........." ...(.p...........v...............................................=....`.........................................p...|.......x....`....... ...1...........p..,...PK.......................M..(....J..@............................................text...`o.......p.................. ..`.rdata...V.......X...t..............@..@.data...T8......."..................@....pdata...1... ...2..................@..@.rsrc........`....... ..............@..@.reloc..,....p......."..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-QL74S.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):63258
                                                                                                                                                                                                                          Entropy (8bit):4.638400083452387
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:PcJillRMp5RLRYkKJdcmFT38Q9aSePEUX5:PcJiDRMD9YdtePz5
                                                                                                                                                                                                                          MD5:127A512367895E269AD9922079C47761
                                                                                                                                                                                                                          SHA1:7444878FEF13B7B4FCBE57D2DB2C527A34CA48C5
                                                                                                                                                                                                                          SHA-256:E841508B1B3D7615F17E691334ECB6B1A7F7A83BC531BFF272E85F048AA3DDFD
                                                                                                                                                                                                                          SHA-512:90E486FA09945BCCBD24542C31F832BEC4AA6EAE7D7A1522526018D0AC38CE855F545E1AB7AEFA1B6F7D78E6F0C8333A607E8A9BF1DCFA74E9E4F3B113AFD15F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.c.jPxZ...PF...L.f.Ih..t...[.....O...O.o..l...Y.u.....mZ^P...u.v.l...E...W....f.....d.u...M.J.Nyd.i....uH.o.Jid.E..^..x..x.Z..kfmuexCyd.RD._Cm...]G....jwcu.q[.xx..Vj.bsRP.lh...t..j..s...f.ZgNgGc.....Rdk.sHK..q[jD.S.f.i.aZWv..F.O.tp...Zs.n..S..o..be.....d.^Xe..QpnXhy^..eVU..qwe_...[MZ..MTbS.j..n..u..]y.u.t..J.rcm..`e.y...IF..N\..Wt..uOE.dQ..^b..ksh.q..p.U..aLW.EfqS.H.Lm.p.OA..Sa...EY.vUbN.D.V..KqdWL....pE..Enuj.RG.`.R.s....mV.W.i...nc.a.^.m...hg...a...FGX..J...E`....\Z...U...Q....II..xk.]L.mX]........W.F.X.k.f..^M[.....y.Oj.h.eOk_Dj..QRT..SK`.T..G^..n.t..\N..CR.l...G..p..r..V..NoUZVJH.ld..Y.h..jVT.n..S..poIbY.X`.F.mp.BoZ.rW..Wo..b.TI.].RmK.pY..^..F..gRc..q....v..WGn.......C]g...Qh..\Mq..._.....kXB..HV.I]...D.ZIDW[...K.A..H.Pt..O....xJtu......J....^o..J.....WWY..L.VE........b.....[..oA_.n.ac...MKn..W.Q.maX........s..s..c[...Ij....Mu.ux...tPT.\.[..F..gpAH..mA...U..N...mE..y.\..q.C.gG..o..Kms.LL.P\.....cPDD.g.Y.rJZ.aF.iTA....].S.NL.r...l..]...n.`.]`..G^QQuPhO.DL.k.S_y.hD._..sour.i.wfg..`yI

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-RE19F.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):99976
                                                                                                                                                                                                                          Entropy (8bit):6.499161413646961
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:yWHL+4KsAzAfadZw+1Hcx8uIYNU5U9H0Q8ecbjt1BHK/CeS:yWr/Z+jPYNV9H0Q8ecbjt1BHK/pS
                                                                                                                                                                                                                          MD5:85054BAF6D0A7D31A18183ACC4CBA133
                                                                                                                                                                                                                          SHA1:24830C002FFAB31102DFB674B52AFFD74E90E708
                                                                                                                                                                                                                          SHA-256:EC86F182F55A338E26F598638F18422E474C6D6C651E1D9955D0303254BF6DDD
                                                                                                                                                                                                                          SHA-512:B6B7D9115ED1D734D7C0EB09E7C7C96EEC29E2C59B8943586976F2182E46B660B99C1947ACF2C1DEB75595771A78B7405FDDBB989A2F06CF88E4AD3D8824055A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d.....`.........." .........`......p................................................>....`A.........................................B..4....J...............p..X....X..............h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-RV0DT.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):918536
                                                                                                                                                                                                                          Entropy (8bit):6.038516348303836
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:Kts+IUZyyi1sznLRjH0qawdB1iT7jwq7Kjn+o/J:KtLIUZPyaVH0qawP1iDwjn+oh
                                                                                                                                                                                                                          MD5:6F1B7C24C5FF662F4364B323F42C101A
                                                                                                                                                                                                                          SHA1:B74949B7A809F8139BD89BD5B96E230108A6615D
                                                                                                                                                                                                                          SHA-256:034248CEFD5BC35A927682E44B79C354A0AEE25E800CF99D86EC591FD8722B5A
                                                                                                                                                                                                                          SHA-512:B13B4A46FB14C687925DE21982C4DE66C201E9FE16D7C03B2C65900CEF47C5E6DB338545E868EE6216C2A92453557BEA6C0D084B5D76A731CAA00BA821FA40E0
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$.Y...../...................H................@.................................n.....@... .........................N.......(................................a...................................................#..`............................text...............................`.P`.data....%.......&..................@.`..rdata..D...........................@.`@.bss.....G............................`..edata..N...........................@.0@.idata..(...........................@.0..CRT....4...........................@.0..tls.... ............0..............@.0..reloc...a.......b...2..............@.0B/4...........P......................@..B/19..........`......................@..B/31.....]............8..............@..B/45.......... .......T..............@..B/57..........@.......p..............@.0B/70..........P.......x..............@..B/81..........`.......~..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-SGO7U.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):178552
                                                                                                                                                                                                                          Entropy (8bit):6.1636094237053305
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:2h5CDZ37FRuI7hDEjQ777RZ7B7T7N55Fjh/YAWFOEBhzFJEB55jKTrK/T:J3bRn9ZNnB5NfKTW/T
                                                                                                                                                                                                                          MD5:3D0E093C2EA9BE7460BFBAD86E6FBB58
                                                                                                                                                                                                                          SHA1:C36EB5601DF523DE321146CF1853F899921AB519
                                                                                                                                                                                                                          SHA-256:810DD30ED0002E2D71937EA818F77E60B0D385D32CC61D92A466FCB6FDCE5526
                                                                                                                                                                                                                          SHA-512:CF4A35C0FAA30FE2B96F2A04E91AFCF9CD08ADF021031C1CEFEF8E2F4028381FD1DEABA7B744AB2245B60A623715CDE8B7C8C9D7AE52728701D773F4B26367BB
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........-......#.....L...................`.....l......................................@... .........................H.......................................t...................................................................................text....K.......L..................`.p`.data........`.......P..............@.0..rdata..,....p.......R..............@.`@.bss..................................`..edata..H............f..............@.0@.idata...............v..............@.0..CRT....,............|..............@.0..tls.... ............~..............@.0..reloc..t...........................@.0B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-T26NQ.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):545680
                                                                                                                                                                                                                          Entropy (8bit):6.371479071684404
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:8xqABhfuM6KsuJPR9K+EvLHhDcsgsEO5CllKDh/eF4:8xqDM9+lHNcsgACllKDh/eF4
                                                                                                                                                                                                                          MD5:2D885495E81A8B8D1D5305FE20566484
                                                                                                                                                                                                                          SHA1:F1D2083D399DD48927CBD83E23F90AD3CE3E0632
                                                                                                                                                                                                                          SHA-256:EB2E18881DDD80A3E54527264B3E7C5046F15854A196B76CCAD28E8258F3F1B2
                                                                                                                                                                                                                          SHA-512:E2BB9F8E377B381CC13538B39E8B3FB749341FCEF84E7B26749BF35141C6C52A48636BB00C6FA7C585EEC4C01B03CD0EC38C8F3E85E0CA2C2CDA26D026DEF326
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Do!O..O...O...O..~L...O..~J...O..~K...O..L...O..K...O..J.K.O..~N...O..rN...O...N.y.O...J...O...O...O.......O...M...O.Rich..O.........................PE..d...|.wf.........." ...(.&...&......................................................$D....`.............................................|.......P....p....... ..TB...8..........P...p........................ ..(...0...@............@...............................text...P$.......&.................. ..`.rdata.......@.......*..............@..@.data...tA.......*..................@....pdata..TB... ...D..................@..@.rsrc........p.......&..............@..@.reloc..P............(..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-VFSD2.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):93832
                                                                                                                                                                                                                          Entropy (8bit):5.48517352660103
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:kP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7WGHK/CT:kePOYe4bu1epDh8RWGHK/M
                                                                                                                                                                                                                          MD5:A2ADF4897942B99FE0738F8C37FD15C0
                                                                                                                                                                                                                          SHA1:4192A2221F5C48A16427BF1898C0443CA27A29BB
                                                                                                                                                                                                                          SHA-256:B339B9A93A93B52F3EA0A5F2161E4B16BDA0CA7396D53ECA14C7D7F3E963A3A3
                                                                                                                                                                                                                          SHA-512:DF383B4B70C980C613F3C3EC4E99980DA6DB15F123D617197B644314233D1E2ADEC9F9162D6DBB7B874D885119082E01840102F0976F3CC767A78B5E467EF4A8
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p......r.....@.......... ......................................X}..........p.......T....@.......`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\is-VIT86.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):585512
                                                                                                                                                                                                                          Entropy (8bit):6.002108518534667
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:kavF2w273DAx5at3y6/c1M94lh7NX06qkX/0IT7/5:kAF2w2jE5k3y6/cyinNXy4B7h
                                                                                                                                                                                                                          MD5:2C700BBCDA59BFE2CD7EBF9BAA5B2626
                                                                                                                                                                                                                          SHA1:72EFAA0E8652FB4ADC21E4484E7F63AA968F39D2
                                                                                                                                                                                                                          SHA-256:C9C59AB5B3369B97C85129F160491BD743B68DE1AD41EE6EEBA69009407B54E7
                                                                                                                                                                                                                          SHA-512:0911C7FED9653D9D50BAD7219E45778367DE4B105B5079A8011415F65465B80782A98A503CEBFB309997BCFB2A8620402579456565A24C69A20CBCBD0130DA20
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$.Y...........!..............................`n.........................p......L.....@... .........................m).......3...0..@....................@...)........................... .......................................................text...T...........................`.P`.data....-..........................@.`..rdata..............................@.`@.bss....d.............................`..edata..m).......*...t..............@.0@.idata...3.......4..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...@....0......................@.0..reloc...)...@...*..................@.0B/4...........p......................@..B/19......l.......n..................@..B/31...../............v..............@..B/45.....|...........................@..B/57..........0......................@.0B/70.....2....@..........

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\libcrypto-1_1-x64.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):3490952
                                                                                                                                                                                                                          Entropy (8bit):6.105770368598401
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:+VwASO4GIU6injGtlqBGqgOtUyrQ8SFJnofeT5W7aTNP6nZsi61o1CPwDv3uFfJe:xB+btBQQ7UQnZsY1CPwDv3uFfJe
                                                                                                                                                                                                                          MD5:474D774A60BCBDBB326C248D1B86C785
                                                                                                                                                                                                                          SHA1:C8611E2BEA720BB3B8768BB7F347DE04EAB8B00D
                                                                                                                                                                                                                          SHA-256:4FB11C716E57A352D0C40B83F00B73A23B16F4418247AFB0E8CA114C20ED7414
                                                                                                                                                                                                                          SHA-512:D25EFAE915E303AB98F86A3131E5C128BFFB0FEE7317C2F28D7A9C9836186C46FDB64008BE98EBF1B7C97F809AD4A170929583B5B899427C405C90503D3D39E0
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......q.Q.5.?.5.?.5.?.<..'.?.g.>.7.?.g.:.>.?.g.;.=.?.g.<.1.?.!.>.8.?.5.>.?.5.?.+.?...;.N.?...?.4.?.....4.?...=.4.?.Rich5.?.........................PE..d...g..b.........." .....p%...................................................5.......5...`...........................................0..h....4.T.....5.|.....3.......5...... 5..P..T.-.8.............................-.8.............4..............................text....o%......p%................. ..`.rdata........%......t%.............@..@.data....~....2..0...t2.............@....pdata........3.......2.............@..@.idata..T'....4..(...h4.............@..@.00cfg..Q.....5.......4.............@..@.rsrc...|.....5.......4.............@..@.reloc...z... 5..|....4.............@..B................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\libeay32.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2276496
                                                                                                                                                                                                                          Entropy (8bit):6.2839627604807955
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:sqrGLY4rzqgpJdli4OLz1/SK1ULLnLWdaqTv6akDCbpCX464lnbW148y1PuDT5Wg:sqr0Y4rugpJdli4OLz1/SK1ULLLWdaq8
                                                                                                                                                                                                                          MD5:A928351F9555A07B7A8DCEA6B209D367
                                                                                                                                                                                                                          SHA1:66379948FB082D9EB390B77C4E00EFAD25062C9C
                                                                                                                                                                                                                          SHA-256:8993C69DAA63314019E3D33190140ACAC23704D20AB3BDF946B41969DD23B0A7
                                                                                                                                                                                                                          SHA-512:099DAD1E89474F449EF9EA35CC93C2C8A643AF9108FD38FFB7B748FE93F0A25553B135AC6C6E33EDB8B1AD55687CDF182C6FA3E2D5018110D0500C3E2CA35EEA
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$.Y.p...<.....!.............0................(c.........................@........"...@... .........................A....P..........@.............".....................................p.......................R..h............................text...............................`.p`.data...|d.......f..................@.`..rdata..T............d..............@.`@.bss.........`........................`..edata..A............B..............@.0@.idata.......P......................@.0..CRT....,....`......................@.0..tls.... ....p......................@.0..rsrc...@...........................@.0..reloc.............................@.0B/4...........@......................@..B/19......i...P...j..................@..B/31..................,..............@..B/45..................@..............@..B/57..................R..............@.0B/70.....2............Z..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\liblzo2-2.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):178552
                                                                                                                                                                                                                          Entropy (8bit):6.1636094237053305
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:2h5CDZ37FRuI7hDEjQ777RZ7B7T7N55Fjh/YAWFOEBhzFJEB55jKTrK/T:J3bRn9ZNnB5NfKTW/T
                                                                                                                                                                                                                          MD5:3D0E093C2EA9BE7460BFBAD86E6FBB58
                                                                                                                                                                                                                          SHA1:C36EB5601DF523DE321146CF1853F899921AB519
                                                                                                                                                                                                                          SHA-256:810DD30ED0002E2D71937EA818F77E60B0D385D32CC61D92A466FCB6FDCE5526
                                                                                                                                                                                                                          SHA-512:CF4A35C0FAA30FE2B96F2A04E91AFCF9CD08ADF021031C1CEFEF8E2F4028381FD1DEABA7B744AB2245B60A623715CDE8B7C8C9D7AE52728701D773F4B26367BB
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........-......#.....L...................`.....l......................................@... .........................H.......................................t...................................................................................text....K.......L..................`.p`.data........`.......P..............@.0..rdata..,....p.......R..............@.`@.bss..................................`..edata..H............f..............@.0@.idata...............v..............@.0..CRT....,............|..............@.0..tls.... ............~..............@.0..reloc..t...........................@.0B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\libpkcs11-helper-1.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):113800
                                                                                                                                                                                                                          Entropy (8bit):6.497871168162335
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:NADrSog8rBPCmGxRmZZlfzaag8fPrZyEOE9toSK/G:qDl9PQTmZ53rZyEOE92L/G
                                                                                                                                                                                                                          MD5:C966B6A5F0143199FF16F8E491E2B44D
                                                                                                                                                                                                                          SHA1:A47ECE66964E5432551E782EC53EBFEA42845256
                                                                                                                                                                                                                          SHA-256:EA7E53C74D1E66FB0363A16DCCB2B893183937BF4A69770EA44D6BCD6C1A15D6
                                                                                                                                                                                                                          SHA-512:54292A35794B0E147BDCDE724D7101FEDD499F5799175545C5E2BB4362D6387B713EBF511EBF25B4D7E41086073E167524C401936623BB3AE8E337E3D5ADE5CF
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........hw...........q......|......|......|......|.....P|.....b............P|.....P|.....P|.....P|.....Rich............PE..d......b.........." ................................................................."....`..........................................p.......}.......................................Y...............................Z..8............................................text............................... ..`.rdata..z...........................@..@.data...(............t..............@....pdata...............v..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\libssl-1_1-x64.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):700040
                                                                                                                                                                                                                          Entropy (8bit):5.552155208041958
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:UB4x/cH7gueaxFi00ZoPqETRzRnYhUpfakLaugPoDhTMY98c8mvVfU2lvzpi/O:avziRZoXuugCtD8JmvNU2lvzpiG
                                                                                                                                                                                                                          MD5:6EE5C92E2918B27974086A6F24D79043
                                                                                                                                                                                                                          SHA1:40595B75A513BBF1BE16780784E13EFDAD2E40C7
                                                                                                                                                                                                                          SHA-256:86F3A19221C710CFF12607FEB00D8CD0AF932873430AD1B59C990593010EC3CF
                                                                                                                                                                                                                          SHA-512:F07BBE5D367D6F7474E08507F3827BDCAC5503673F2027CA139303FA573F4EEB7D82A9D88EE0F3291F53629C0644B39E2C81380B45F8E2A286FFCC326AE0E4B7
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............]...]...]..M]...]..\...]...\...]..\...]..\...]..\...]H..\...]...]o..]H..\...]H..\...]H.!]...]H..\...]Rich...]........PE..d...g..b.........." .....:...L......<.....................................................`..........................................+...N..@E..........s........L..............h.......8...........................@...8............0..@............................text....8.......:.................. ..`.rdata...)...P...*...>..............@..@.data...QM.......D...h..............@....pdata...T.......V..................@..@.idata..*W...0...X..................@..@.00cfg..Q............Z..............@..@.rsrc...s............\..............@..@.reloc..]............d..............@..B................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\libssl32.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):244360
                                                                                                                                                                                                                          Entropy (8bit):6.534833630270433
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:lE2PcqwWvsYJlWewlEyDFINgMjY/fVYPCtmA+KiA/R:lE+1JYVEgFugMjXP/A0A/R
                                                                                                                                                                                                                          MD5:92CAE75041DFA888EE8284E7C6BB658E
                                                                                                                                                                                                                          SHA1:2632FD77EAEDC09977192CFAA19EAEE66F538041
                                                                                                                                                                                                                          SHA-256:ACEB2DBBA3948EF0D2908CAE3B2E1586AC82B700C1DE7E6420FA241EFBBB0ECB
                                                                                                                                                                                                                          SHA-512:F01AC04FBD3EA1FD4D39D7654DF7D97EB15D60BC9EDFDF36C92176CF8A66FC148E4ECA480F52B7283AF1B9966983F4275A4E221E2D73056A7F3F4290C4D85C17
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R."K...........#...8............`..............k................................Ub........ ......................P.. ....p...$...................................................................................................................text...t...........................`.P`.data...0%.......&..................@.`..rdata..x^.......`..................@.`@.bss.........@........................@..edata.. ....P.......*..............@.0@.idata...$...p...&...H..............@.0..reloc...............n..............@.0B........................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\msvcr100.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):776328
                                                                                                                                                                                                                          Entropy (8bit):6.92032788063544
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:uQmCy3NeRjkpQmj3oaMtQqjoygfXq3kon9IlbgaOxQdVJJ6j5EBKX8hUk/K:vmCy3VQs9MtLjTgfa3kon9FaOdEukC
                                                                                                                                                                                                                          MD5:6ECA26F16FEB505B1BD0A0A25DA4AEDB
                                                                                                                                                                                                                          SHA1:297A6E0D660FAF9E924B2BE827D9D9DC81E4EB85
                                                                                                                                                                                                                          SHA-256:CD9005B83CAB43E566F287D1BB1A3DE33F2D67AD5013DC5213232A5DC5309BDB
                                                                                                                                                                                                                          SHA-512:78F749E1D591D9AC2C1BB3A47FA7D4099A18303357F990E97D6E531FA50FE2466C8A203504F599C74EE92DFA179CC4AFBC561C60AFD01FA103A3276E79760A46
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ R.HA<.HA<.HA<.A9..KA<.HA=..A<.'7..@<.'7...A<.'7..|A<.'7...A<.'7..IA<.'7..IA<.'7..IA<.RichHA<.........PE..L.....K.........."!................. ....... .....x................................m.....@..........................I......D...(............................... L..h...8...........................pE..@............................................text............................... ..`.data...|Z... ...N..................@....rsrc................X..............@..@.reloc.. L.......N...\..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\openssl.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):918536
                                                                                                                                                                                                                          Entropy (8bit):6.038516348303836
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:Kts+IUZyyi1sznLRjH0qawdB1iT7jwq7Kjn+o/J:KtLIUZPyaVH0qawP1iDwjn+oh
                                                                                                                                                                                                                          MD5:6F1B7C24C5FF662F4364B323F42C101A
                                                                                                                                                                                                                          SHA1:B74949B7A809F8139BD89BD5B96E230108A6615D
                                                                                                                                                                                                                          SHA-256:034248CEFD5BC35A927682E44B79C354A0AEE25E800CF99D86EC591FD8722B5A
                                                                                                                                                                                                                          SHA-512:B13B4A46FB14C687925DE21982C4DE66C201E9FE16D7C03B2C65900CEF47C5E6DB338545E868EE6216C2A92453557BEA6C0D084B5D76A731CAA00BA821FA40E0
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$.Y...../...................H................@.................................n.....@... .........................N.......(................................a...................................................#..`............................text...............................`.P`.data....%.......&..................@.`..rdata..D...........................@.`@.bss.....G............................`..edata..N...........................@.0@.idata..(...........................@.0..CRT....4...........................@.0..tls.... ............0..............@.0..reloc...a.......b...2..............@.0B/4...........P......................@..B/19..........`......................@..B/31.....]............8..............@..B/45.......... .......T..............@..B/57..........@.......p..............@.0B/70..........P.......x..............@..B/81..........`.......~..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\openvpn.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):865416
                                                                                                                                                                                                                          Entropy (8bit):6.558002511161394
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24576:dxRZrLEvOx+pFpQlzLyPkET7c5zaSjLUVaoNkUNBKsEpX:dtUmxmpQFLyPkEixWi
                                                                                                                                                                                                                          MD5:A151697A9F14639BFA2CB3E470CEA355
                                                                                                                                                                                                                          SHA1:FA45D614ABFF2ED9A707E3DFC02F404CFC18A89F
                                                                                                                                                                                                                          SHA-256:4794C710A3E624B1A0D956CFE21EC0433FD85BD2D8EB96ACE3F2B5E5302E225C
                                                                                                                                                                                                                          SHA-512:888CFD3919482BB56A15E23A73C868C277CA925EED122327E3399C23D0D647F07B9CD67CCAE28AFD1048A41710DA50126B38E75D7455F56AA95BBECA42D228BF
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........*.w.K.$.K.$.K.$.3.$.K.$.>.%.K.$.$l$.K.$.>.%.K.$.>.%.K.$.>.%.K.$w>.%.K.$w>.%.K.$. .%.K.$. .%.K.$.K.$.I.$w>.%.K.$w>.%.K.$w>n$.K.$w>.%.K.$Rich.K.$................PE..d.....b.........."...........................@....................................q.....`.........................................Pd..P....d..........8....P...^..................................................`...8............................................text.............................. ..`.rdata..^...........................@..@.data...............................@....pdata...^...P...`..................@..@.rsrc...8...........................@..@.reloc..............................@..B................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\openvpnserv.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):68744
                                                                                                                                                                                                                          Entropy (8bit):6.03232541602541
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:OhNHth2MbtFwpJgYCV7JToLDkhqQovzeTJdCK/C1:OhHTbtsRCskcQovzeTJdCK/a
                                                                                                                                                                                                                          MD5:41E94A80206A87D947CE6CF5823494BE
                                                                                                                                                                                                                          SHA1:558214579EE8F2732C36F779E545BA1340191E49
                                                                                                                                                                                                                          SHA-256:E4275E6430AE1EC21A5CD0F2FC382998DEBC1E433A66129527C1B69792F09F95
                                                                                                                                                                                                                          SHA-512:54B0DD18BA43C48B3FC21E4366D7D1DC65147A84AFA3DC29D94C4CF80B49FA67150B8303F576683F712E648CAFF516BFEA3A6F93435D6B33DCAB2C43BC762E35
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........z..h...h...h.......h......h......h......h......h......h.......h...h..ih.......h.......h...h...h.......h..Rich.h..........PE..d.....b.........."......r...|.......v.........@.............................@............`.................................................x...T.... .......................0..p...................................@...8............................................text....p.......r.................. ..`.rdata...W.......X...v..............@..@.data...............................@....pdata..............................@..@.rsrc........ ......................@..@.reloc..p....0......................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\openvpnserv2.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):27784
                                                                                                                                                                                                                          Entropy (8bit):6.488306745612165
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:YVfdXePAee0fxvSDv2atBymU+DpbGEgivBpnpwK3CrFqa2S0FP27NBYearrDVY:afdXfOvObbU+Nb5RgrFq7rK/YfrDS
                                                                                                                                                                                                                          MD5:41C55E2A9D5D9B23C08E3DC067780DC7
                                                                                                                                                                                                                          SHA1:1FB62C7FCF24F604676896121C1CCAFB628C1BE1
                                                                                                                                                                                                                          SHA-256:D76995DCE5A5A3B0D77ABB438C14504F9825A6BC98676F1BA8D0CC18CEBB0545
                                                                                                                                                                                                                          SHA-512:396E8878BAFCFC0DF994B9AF23176D343230B6F6EE82A71E14EFA56347EF0C63B4D277C029EF9FB3EF69D6F1B8AE73ECF92D8DCEDC9312E0C8BFA86EC0B611D2
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....7X.................6...........T... ...`....@.. ....................................@..................................T..K....`...............>............................................................... ............... ..H............text....4... ...6.................. ..`.rsrc........`.......8..............@..@.reloc...............<..............@..B.................T......H........1..."..........|0..p...........................................6.(.....(....*...0..S............(....o.....s.......o....s.......o......o.........&..o............9.....o.....*.......#..6........../E.......0..E............(....o.....s.......o....s.......o.........&........9.....o.....*.........#../..........!7.......0..M.......~....s......o.....;.....o......#......$@(....o.........&........9.....o.....*...........,7..........4?.......0..M.......~....s......o.....;.....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\screen_retriever_plugin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):545680
                                                                                                                                                                                                                          Entropy (8bit):6.371479071684404
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:8xqABhfuM6KsuJPR9K+EvLHhDcsgsEO5CllKDh/eF4:8xqDM9+lHNcsgACllKDh/eF4
                                                                                                                                                                                                                          MD5:2D885495E81A8B8D1D5305FE20566484
                                                                                                                                                                                                                          SHA1:F1D2083D399DD48927CBD83E23F90AD3CE3E0632
                                                                                                                                                                                                                          SHA-256:EB2E18881DDD80A3E54527264B3E7C5046F15854A196B76CCAD28E8258F3F1B2
                                                                                                                                                                                                                          SHA-512:E2BB9F8E377B381CC13538B39E8B3FB749341FCEF84E7B26749BF35141C6C52A48636BB00C6FA7C585EEC4C01B03CD0EC38C8F3E85E0CA2C2CDA26D026DEF326
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Do!O..O...O...O..~L...O..~J...O..~K...O..L...O..K...O..J.K.O..~N...O..rN...O...N.y.O...J...O...O...O.......O...M...O.Rich..O.........................PE..d...|.wf.........." ...(.&...&......................................................$D....`.............................................|.......P....p....... ..TB...8..........P...p........................ ..(...0...@............@...............................text...P$.......&.................. ..`.rdata.......@.......*..............@..@.data...tA.......*..................@....pdata..TB... ...D..................@..@.rsrc........p.......&..............@..@.reloc..P............(..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\driver\windows7\amd64\fastestvpndriver.sys (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):77064
                                                                                                                                                                                                                          Entropy (8bit):6.309512423177142
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:c3PLyOk59e89l4oTvomRuJeE3dwifb2CLXlYvcM:ML45g0lKPLwifb2CLXcx
                                                                                                                                                                                                                          MD5:760475CD23CE23410F37558452B28545
                                                                                                                                                                                                                          SHA1:68ED3626CE9ABE090B960EEB909C4324205DDEF0
                                                                                                                                                                                                                          SHA-256:113A6934823339B6873D8CE80F629F37BFA912C4B8201428222025754BFEFA7F
                                                                                                                                                                                                                          SHA-512:AB9AEF1013B579784C062D2ED30DAB86DAE541862B7C02FF19943D0987A5C7FC8B12A2C8ABCDB521123DB2E8BC1B806834C80E6C43C33164A004D37A59AE725A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.#Rv.M.v.M.v.M.v.L...M.....q.M.....r.M.....s.M.......M.....w.M.....w.M.Richv.M.........................PE..d....m.\.........."..........0......d0.......................................`...............................................................0..P....@....... ...............P......P...................................................H............................text...n........................... ..h.rdata..D...........................@..H.data...............................@....pdata....... ......................@..HINIT....d....0...................... ....rsrc........@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\driver\windows7\amd64\is-59VFL.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):77064
                                                                                                                                                                                                                          Entropy (8bit):6.309512423177142
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:c3PLyOk59e89l4oTvomRuJeE3dwifb2CLXlYvcM:ML45g0lKPLwifb2CLXcx
                                                                                                                                                                                                                          MD5:760475CD23CE23410F37558452B28545
                                                                                                                                                                                                                          SHA1:68ED3626CE9ABE090B960EEB909C4324205DDEF0
                                                                                                                                                                                                                          SHA-256:113A6934823339B6873D8CE80F629F37BFA912C4B8201428222025754BFEFA7F
                                                                                                                                                                                                                          SHA-512:AB9AEF1013B579784C062D2ED30DAB86DAE541862B7C02FF19943D0987A5C7FC8B12A2C8ABCDB521123DB2E8BC1B806834C80E6C43C33164A004D37A59AE725A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2.#Rv.M.v.M.v.M.v.L...M.....q.M.....r.M.....s.M.......M.....w.M.....w.M.Richv.M.........................PE..d....m.\.........."..........0......d0.......................................`...............................................................0..P....@....... ...............P......P...................................................H............................text...n........................... ..h.rdata..D...........................@..H.data...............................@....pdata....... ......................@..HINIT....d....0...................... ....rsrc........@......................@..B.reloc.......P......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\driver\windows7\i386\fastestvpndriver.sys (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):72304
                                                                                                                                                                                                                          Entropy (8bit):6.723888135179154
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:IPxegyYti+IPp+RmwN/jlzQH8rzn3oZrx+vJcRUf:jgLQPp+EwN5K8rcZrmq
                                                                                                                                                                                                                          MD5:5EE29684A6D1E66FD1590742620448EE
                                                                                                                                                                                                                          SHA1:71DB43CA9730411BADD39AB2631A1346EF740AAA
                                                                                                                                                                                                                          SHA-256:3506C17F79A4F38482DE5B5835484C7127B9903A9412FB6B668BE441D83D8B30
                                                                                                                                                                                                                          SHA-512:5F0E00DAC143ED9995B5FECD023EA950FC7A37691E5A4DEF24DAB0DCBDE058787CD4997BE8B2BBE948E5CCA96E80112F55BA8DE7BDD39D264709813B67FDDC0D
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..f;..f;..f;..f:..f;......f;......f;......f;......f;......f;.Rich.f;.........................PE..L....m.\.....................,......>.......................................................................................P...d.......................p:..........................................0...@............................................text............................... ..h.rdata..`...........................@..H.data...............................@...INIT................................ ....rsrc...............................@..B.reloc..^...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\driver\windows7\i386\is-5LPUL.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (native) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):72304
                                                                                                                                                                                                                          Entropy (8bit):6.723888135179154
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:IPxegyYti+IPp+RmwN/jlzQH8rzn3oZrx+vJcRUf:jgLQPp+EwN5K8rcZrmq
                                                                                                                                                                                                                          MD5:5EE29684A6D1E66FD1590742620448EE
                                                                                                                                                                                                                          SHA1:71DB43CA9730411BADD39AB2631A1346EF740AAA
                                                                                                                                                                                                                          SHA-256:3506C17F79A4F38482DE5B5835484C7127B9903A9412FB6B668BE441D83D8B30
                                                                                                                                                                                                                          SHA-512:5F0E00DAC143ED9995B5FECD023EA950FC7A37691E5A4DEF24DAB0DCBDE058787CD4997BE8B2BBE948E5CCA96E80112F55BA8DE7BDD39D264709813B67FDDC0D
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..f;..f;..f;..f:..f;......f;......f;......f;......f;......f;.Rich.f;.........................PE..L....m.\.....................,......>.......................................................................................P...d.......................p:..........................................0...@............................................text............................... ..h.rdata..`...........................@..H.data...............................@...INIT................................ ....rsrc...............................@..B.reloc..^...........................@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\driver\windows8\amd64\fastestvpndriver.sys (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):104424
                                                                                                                                                                                                                          Entropy (8bit):6.366713641084616
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:Y79hJ78bsmPOC5lhtb5FGNk4wZO+cWK4orE3HazVvon6BK2s6th:YpL78XPOCN1GeOUKdebIKfS
                                                                                                                                                                                                                          MD5:95FD4F27F82A9E4D6E2A53AF7A9096E6
                                                                                                                                                                                                                          SHA1:5F772C89901841AF1814C858359AC5FEB9BE3C24
                                                                                                                                                                                                                          SHA-256:98CD2F27906E4FD7FA7FBE0EC747BADEF710BCA736A1AC5EE883756F2185818C
                                                                                                                                                                                                                          SHA-512:6B2E2BA90B33F6658C903203317299057C83545D46549D468CDAA1D6F7BCE887310411B9BF6EEA9D19C214A2041BB5E14FD9395CC4E2FE9FC31AB03B88A75019
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.d.z...z...z.....~...z.........}.....}...Y@..s....A..{....A..{...Richz...........................PE..d... [.\.........."..........L.................@....................................C.....`.................................................8p..P.......H....`.......R...E..........`#..8............................(..p............ ..`............................text...d........................... ..h.rdata....... ......................@..H.data...@....@.......$..............@....pdata.......`.......,..............@..HINIT.........p.......:.............. ....rsrc...H............J..............@..B.reloc...............P..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\driver\windows8\amd64\is-A14JT.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):104424
                                                                                                                                                                                                                          Entropy (8bit):6.366713641084616
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:Y79hJ78bsmPOC5lhtb5FGNk4wZO+cWK4orE3HazVvon6BK2s6th:YpL78XPOCN1GeOUKdebIKfS
                                                                                                                                                                                                                          MD5:95FD4F27F82A9E4D6E2A53AF7A9096E6
                                                                                                                                                                                                                          SHA1:5F772C89901841AF1814C858359AC5FEB9BE3C24
                                                                                                                                                                                                                          SHA-256:98CD2F27906E4FD7FA7FBE0EC747BADEF710BCA736A1AC5EE883756F2185818C
                                                                                                                                                                                                                          SHA-512:6B2E2BA90B33F6658C903203317299057C83545D46549D468CDAA1D6F7BCE887310411B9BF6EEA9D19C214A2041BB5E14FD9395CC4E2FE9FC31AB03B88A75019
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.d.z...z...z.....~...z.........}.....}...Y@..s....A..{....A..{...Richz...........................PE..d... [.\.........."..........L.................@....................................C.....`.................................................8p..P.......H....`.......R...E..........`#..8............................(..p............ ..`............................text...d........................... ..h.rdata....... ......................@..H.data...@....@.......$..............@....pdata.......`.......,..............@..HINIT.........p.......:.............. ....rsrc...H............J..............@..B.reloc...............P..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\driver\windows8\i386\fastestvpndriver.sys (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):104424
                                                                                                                                                                                                                          Entropy (8bit):6.366713641084616
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:Y79hJ78bsmPOC5lhtb5FGNk4wZO+cWK4orE3HazVvon6BK2s6th:YpL78XPOCN1GeOUKdebIKfS
                                                                                                                                                                                                                          MD5:95FD4F27F82A9E4D6E2A53AF7A9096E6
                                                                                                                                                                                                                          SHA1:5F772C89901841AF1814C858359AC5FEB9BE3C24
                                                                                                                                                                                                                          SHA-256:98CD2F27906E4FD7FA7FBE0EC747BADEF710BCA736A1AC5EE883756F2185818C
                                                                                                                                                                                                                          SHA-512:6B2E2BA90B33F6658C903203317299057C83545D46549D468CDAA1D6F7BCE887310411B9BF6EEA9D19C214A2041BB5E14FD9395CC4E2FE9FC31AB03B88A75019
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.d.z...z...z.....~...z.........}.....}...Y@..s....A..{....A..{...Richz...........................PE..d... [.\.........."..........L.................@....................................C.....`.................................................8p..P.......H....`.......R...E..........`#..8............................(..p............ ..`............................text...d........................... ..h.rdata....... ......................@..H.data...@....@.......$..............@....pdata.......`.......,..............@..HINIT.........p.......:.............. ....rsrc...H............J..............@..B.reloc...............P..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\driver\windows8\i386\is-0T1HF.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):104424
                                                                                                                                                                                                                          Entropy (8bit):6.366713641084616
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:Y79hJ78bsmPOC5lhtb5FGNk4wZO+cWK4orE3HazVvon6BK2s6th:YpL78XPOCN1GeOUKdebIKfS
                                                                                                                                                                                                                          MD5:95FD4F27F82A9E4D6E2A53AF7A9096E6
                                                                                                                                                                                                                          SHA1:5F772C89901841AF1814C858359AC5FEB9BE3C24
                                                                                                                                                                                                                          SHA-256:98CD2F27906E4FD7FA7FBE0EC747BADEF710BCA736A1AC5EE883756F2185818C
                                                                                                                                                                                                                          SHA-512:6B2E2BA90B33F6658C903203317299057C83545D46549D468CDAA1D6F7BCE887310411B9BF6EEA9D19C214A2041BB5E14FD9395CC4E2FE9FC31AB03B88A75019
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.d.z...z...z.....~...z.........}.....}...Y@..s....A..{....A..{...Richz...........................PE..d... [.\.........."..........L.................@....................................C.....`.................................................8p..P.......H....`.......R...E..........`#..8............................(..p............ ..`............................text...d........................... ..h.rdata....... ......................@..H.data...@....@.......$..............@....pdata.......`.......,..............@..HINIT.........p.......:.............. ....rsrc...H............J..............@..B.reloc...............P..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\install_sp.bat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):527
                                                                                                                                                                                                                          Entropy (8bit):5.160291198458603
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:E9T9FHWvxBLzOY7WCKGWXOTIHcrV2/+1Of3T96TuGWYxBoeANyW:E9T9FHWJBLz9SC8zwV2sOD997YBFnW
                                                                                                                                                                                                                          MD5:39B9357BA2B8B640ACFAE47275B80C56
                                                                                                                                                                                                                          SHA1:0A80D68131736FB29C71D66CEBED9D59258F86DB
                                                                                                                                                                                                                          SHA-256:76E9F6F16C00F33BE1717AE60A1FAFA0F90609508F7D613556B145E4C89D103A
                                                                                                                                                                                                                          SHA-512:D3144461AC37E13100BE3444586163CCB8A6B767DCD0B7A26353172FD86C06D7AC31CD209C1E472B9DCAF0D5E3CCD80AF78A15B48BE72E4AFBBCB6747338DDCB
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..start sc stop fastestvpndriver..del %systemroot%\system32\drivers\fastestvpndriver.sys....reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && set ARCH=i386 || set ARCH=amd64..reg QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" | find /i "Windows 7" > NUL && set OS=windows7 || set OS=windows8....xcopy /y driver\%OS%\%ARCH%\fastestvpndriver.sys %systemroot%\system32\drivers..release\nfregdrv.exe -u fastestvpndriver..release\nfregdrv.exe fastestvpndriver

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\is-BC6TM.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):153
                                                                                                                                                                                                                          Entropy (8bit):4.487708026306449
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:mKDD2G2FuyW+jBFWRO5Na3ymIaKn/kuD/RAKaXyXshWoXnPTHaW:hiPFvL9FHza3fxBuZaXhZbaW
                                                                                                                                                                                                                          MD5:2D0CB38D144B0F1A34BD6F715D697658
                                                                                                                                                                                                                          SHA1:65B935BEEE274E0BB6C069CB8FC1022E187ECAE2
                                                                                                                                                                                                                          SHA-256:DFEE16836EBD2D8E76D0EE660F9B22154A3513591061FF9EF9E540094DDEA8F6
                                                                                                                                                                                                                          SHA-512:472D2F8D2C58BC96C100674995A580F0EA3A60F42971A850582CEDB4B9108D42F7CE8D87410203C50EAD3F16B9CA92F3DDB1B4D543F2418FEF6259E754359987
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..start sc stop fastestvpndriver..del %systemroot%\system32\drivers\fastestvpndriver.sys..release\nfregdrv.exe -u fastestvpndriver

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\is-EAH1B.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):527
                                                                                                                                                                                                                          Entropy (8bit):5.160291198458603
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:E9T9FHWvxBLzOY7WCKGWXOTIHcrV2/+1Of3T96TuGWYxBoeANyW:E9T9FHWJBLz9SC8zwV2sOD997YBFnW
                                                                                                                                                                                                                          MD5:39B9357BA2B8B640ACFAE47275B80C56
                                                                                                                                                                                                                          SHA1:0A80D68131736FB29C71D66CEBED9D59258F86DB
                                                                                                                                                                                                                          SHA-256:76E9F6F16C00F33BE1717AE60A1FAFA0F90609508F7D613556B145E4C89D103A
                                                                                                                                                                                                                          SHA-512:D3144461AC37E13100BE3444586163CCB8A6B767DCD0B7A26353172FD86C06D7AC31CD209C1E472B9DCAF0D5E3CCD80AF78A15B48BE72E4AFBBCB6747338DDCB
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..start sc stop fastestvpndriver..del %systemroot%\system32\drivers\fastestvpndriver.sys....reg Query "HKLM\Hardware\Description\System\CentralProcessor\0" | find /i "x86" > NUL && set ARCH=i386 || set ARCH=amd64..reg QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" | find /i "Windows 7" > NUL && set OS=windows7 || set OS=windows8....xcopy /y driver\%OS%\%ARCH%\fastestvpndriver.sys %systemroot%\system32\drivers..release\nfregdrv.exe -u fastestvpndriver..release\nfregdrv.exe fastestvpndriver

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\release\is-187AR.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):61064
                                                                                                                                                                                                                          Entropy (8bit):6.255909242219927
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:2/Th9sBDRdQNV0nsDMmkL/DDI6ssEtnrFqnK/Yfrc:lRMVvRkLFWtr6K/Cg
                                                                                                                                                                                                                          MD5:9333F583E2D32A47276DCEC7C2391FD2
                                                                                                                                                                                                                          SHA1:8757F8136354B7F98407CEBFE8BDA6043972D88E
                                                                                                                                                                                                                          SHA-256:AF36609DF5F1F9375354E68E2B8EA57059E44DEC3D089CD9EA509F0816D71294
                                                                                                                                                                                                                          SHA-512:922578EFA998B4B92192F3A6839059C01406997F3DBEF0DE70C7BA3F6D73CBDEA04470CD6C214778AAB59EB7602AC354750AE5D97C66286F1215BC415B273222
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zRl.>3..>3..>3.......3....l.$3....o.v3...<_.<3....y.;3..>3..q3....p.?3....z.?3..Rich>3..................PE..L....K.Q.................p...@......@.............@.................................{.......................................\...P...................................@...................................@............................................text....c.......p.................. ..`.rdata........... ..................@..@.data...|...........................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\release\is-7K05F.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):159368
                                                                                                                                                                                                                          Entropy (8bit):6.430638214966169
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:MnVAyi4UNa5oIMLPX3CD+Y+tQJtbwhOt4SSyd7DK/+1:Msa+hPSDutIyhfq7+/k
                                                                                                                                                                                                                          MD5:E7C064693750D51F5AC901A0CF0A987A
                                                                                                                                                                                                                          SHA1:0FFE9BAE9054D779F60CE8E0E72D386401C0AF7D
                                                                                                                                                                                                                          SHA-256:6138C9EC5082350F9223E87991A779457662FAD1AE937ADFD7229DA509810A14
                                                                                                                                                                                                                          SHA-512:12E2CF49B1DA8BD4CEC556F1C816678B7E04D08ED71D94F5734DA6B73AE73E79EC09593CFCF2A27AF73C32645435CF52B127EFB8BACB94C9638249E1365A3CBB
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jx.....................)......)..d...).."...............y...)......)......)......)......Rich............PE..L......]...........!........................................................`......8c.............................. ...........P.... ..`............@.......0......0..................................@............................................text...0|.......................... ..`.rdata...J.......P..................@..@.data...,6....... ..................@....rsrc...`.... ......................@..@.reloc...(...0...0..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\release\nfapi.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):159368
                                                                                                                                                                                                                          Entropy (8bit):6.430638214966169
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:MnVAyi4UNa5oIMLPX3CD+Y+tQJtbwhOt4SSyd7DK/+1:Msa+hPSDutIyhfq7+/k
                                                                                                                                                                                                                          MD5:E7C064693750D51F5AC901A0CF0A987A
                                                                                                                                                                                                                          SHA1:0FFE9BAE9054D779F60CE8E0E72D386401C0AF7D
                                                                                                                                                                                                                          SHA-256:6138C9EC5082350F9223E87991A779457662FAD1AE937ADFD7229DA509810A14
                                                                                                                                                                                                                          SHA-512:12E2CF49B1DA8BD4CEC556F1C816678B7E04D08ED71D94F5734DA6B73AE73E79EC09593CFCF2A27AF73C32645435CF52B127EFB8BACB94C9638249E1365A3CBB
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Jx.....................)......)..d...).."...............y...)......)......)......)......Rich............PE..L......]...........!........................................................`......8c.............................. ...........P.... ..`............@.......0......0..................................@............................................text...0|.......................... ..`.rdata...J.......P..................@..@.data...,6....... ..................@....rsrc...`.... ......................@..@.reloc...(...0...0..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):61064
                                                                                                                                                                                                                          Entropy (8bit):6.255909242219927
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:2/Th9sBDRdQNV0nsDMmkL/DDI6ssEtnrFqnK/Yfrc:lRMVvRkLFWtr6K/Cg
                                                                                                                                                                                                                          MD5:9333F583E2D32A47276DCEC7C2391FD2
                                                                                                                                                                                                                          SHA1:8757F8136354B7F98407CEBFE8BDA6043972D88E
                                                                                                                                                                                                                          SHA-256:AF36609DF5F1F9375354E68E2B8EA57059E44DEC3D089CD9EA509F0816D71294
                                                                                                                                                                                                                          SHA-512:922578EFA998B4B92192F3A6839059C01406997F3DBEF0DE70C7BA3F6D73CBDEA04470CD6C214778AAB59EB7602AC354750AE5D97C66286F1215BC415B273222
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......zRl.>3..>3..>3.......3....l.$3....o.v3...<_.<3....y.;3..>3..q3....p.?3....z.?3..Rich>3..................PE..L....K.Q.................p...@......@.............@.................................{.......................................\...P...................................@...................................@............................................text....c.......p.................. ..`.rdata........... ..................@..@.data...|...........................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\sp\uninstall_sp.bat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:DOS batch file, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):153
                                                                                                                                                                                                                          Entropy (8bit):4.487708026306449
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:mKDD2G2FuyW+jBFWRO5Na3ymIaKn/kuD/RAKaXyXshWoXnPTHaW:hiPFvL9FHza3fxBuZaXhZbaW
                                                                                                                                                                                                                          MD5:2D0CB38D144B0F1A34BD6F715D697658
                                                                                                                                                                                                                          SHA1:65B935BEEE274E0BB6C069CB8FC1022E187ECAE2
                                                                                                                                                                                                                          SHA-256:DFEE16836EBD2D8E76D0EE660F9B22154A3513591061FF9EF9E540094DDEA8F6
                                                                                                                                                                                                                          SHA-512:472D2F8D2C58BC96C100674995A580F0EA3A60F42971A850582CEDB4B9108D42F7CE8D87410203C50EAD3F16B9CA92F3DDB1B4D543F2418FEF6259E754359987
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@echo off..@cd /d %~dp0..start sc stop fastestvpndriver..del %systemroot%\system32\drivers\fastestvpndriver.sys..release\nfregdrv.exe -u fastestvpndriver

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\ssleay32.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):585512
                                                                                                                                                                                                                          Entropy (8bit):6.002108518534667
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:kavF2w273DAx5at3y6/c1M94lh7NX06qkX/0IT7/5:kAF2w2jE5k3y6/cyinNXy4B7h
                                                                                                                                                                                                                          MD5:2C700BBCDA59BFE2CD7EBF9BAA5B2626
                                                                                                                                                                                                                          SHA1:72EFAA0E8652FB4ADC21E4484E7F63AA968F39D2
                                                                                                                                                                                                                          SHA-256:C9C59AB5B3369B97C85129F160491BD743B68DE1AD41EE6EEBA69009407B54E7
                                                                                                                                                                                                                          SHA-512:0911C7FED9653D9D50BAD7219E45778367DE4B105B5079A8011415F65465B80782A98A503CEBFB309997BCFB2A8620402579456565A24C69A20CBCBD0130DA20
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....$.Y...........!..............................`n.........................p......L.....@... .........................m).......3...0..@....................@...)........................... .......................................................text...T...........................`.P`.data....-..........................@.`..rdata..............................@.`@.bss....d.............................`..edata..m).......*...t..............@.0@.idata...3.......4..................@.0..CRT....,...........................@.0..tls.... .... ......................@.0..rsrc...@....0......................@.0..reloc...)...@...*..................@.0B/4...........p......................@..B/19......l.......n..................@..B/31...../............v..............@..B/45.....|...........................@..B/57..........0......................@.0B/70.....2....@..........

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\status.dat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):277
                                                                                                                                                                                                                          Entropy (8bit):5.0491979415178765
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:ShdEdI5KGdXrSwCoXV+hn5A59eT5U+hLQsPti5FtEEs6EsctB6WEsF2WEsF+v:6dEKwGxOsw7BB6S2zv
                                                                                                                                                                                                                          MD5:C8768E552ABCA40175C704E4AF1F030C
                                                                                                                                                                                                                          SHA1:7B8A3BC3310EE72006FD2C5A4D5F4FC60171C81B
                                                                                                                                                                                                                          SHA-256:50259EEA13E0A9CB0AC48181F8F4345E6558EE8536CC71D0F6E2F63AE9D89D33
                                                                                                                                                                                                                          SHA-512:09FD06DB34894F1EC79B607217DC70E204793E04C58B846DC495DC915F38C1311AC1EE0D3C5CCDE636D8A3D6CE5631EF7291D3617FB3F900FD072CEA5831B573
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:OpenVPN STATISTICS..Updated,2023-09-03 07:45:36..TUN/TAP read bytes,1979..TUN/TAP write bytes,9103..TCP/UDP read bytes,15521..TCP/UDP write bytes,5150..Auth read bytes,9103..pre-compress bytes,0..post-compress bytes,0..pre-decompress bytes,204..post-decompress bytes,213..END..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\tapctl.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):42120
                                                                                                                                                                                                                          Entropy (8bit):6.157445136592099
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:tFRn6+bvfApVjLj1mFU6rrFqyO9K/Yfryu:tFFepV3j1mm6/pO9K/COu
                                                                                                                                                                                                                          MD5:F6AFD5499FCC5D464085AD889BAE09B7
                                                                                                                                                                                                                          SHA1:287C540655FCED0C09DDA2D9C4EADD3F3E210B17
                                                                                                                                                                                                                          SHA-256:6EDA54D746C092A45395399319DFC878E5674C84FAB8147821524A0042C03F47
                                                                                                                                                                                                                          SHA-512:BFD5ED90D0F16A2F0BCC22B0E847D5781A7B11D6912A51CDC8FCAAD80BF191D821418F7544BF52BF6E1AAA47D06A5442601543E9C25B2352D4E23AFC0C4668F9
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......kT../5../5../5..&M<.#5..}@..-5..}@..=5..}@..%5..}@..,5..;^..$5../5..p5...@..,5...@P..5...@...5..Rich/5..........PE..d.....b.........."......0...H.......4.........@....................................e.....`.................................................4g..........@............v..........8...P]...............................]..8............@...............................text..../.......0.................. ..`.rdata...3...@...4...4..............@..@.data...H............h..............@....pdata...............j..............@..@.rsrc...@............n..............@..@.reloc..8............t..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\tapinstall.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):94856
                                                                                                                                                                                                                          Entropy (8bit):5.499392443352034
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:RmYSYxGfIZnRnD6M7EFOUakPhtUn6KXF4O7Wm1xK/CpcW:QYFZnRDGdvPXU6K1RWmPK/4h
                                                                                                                                                                                                                          MD5:834EE5DA601A6C78C43C64F6C282682F
                                                                                                                                                                                                                          SHA1:03920B402B787CA53CD79A66B0B611C899B91F3E
                                                                                                                                                                                                                          SHA-256:754B61DA108CC9379585E18DDCE90A8092C1B17DA5D922A6E8D6CE84A90B0F87
                                                                                                                                                                                                                          SHA-512:C4A6A49D1EE316FB9EA399487EA17DD813C0A611F473F4FD054D07F6D5C6BB786D40FA478254A499DB3E1D5F0AFDA3B72651EF097945D0C3AA9F0D83D9C0ED06
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........V........-.....;......<.......+....%......S....%......2....~......,.....)...Rich..........PE..d...<..W..........".................Tv..............................................I.....@.......... ..................................................h.......l....D.......p..........................................................X............................text............................... ..`.data...............................@....pdata..l...........................@..@.rsrc...h...........................@..@.reloc..z....p.......B..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\tapinstallWin32.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):89736
                                                                                                                                                                                                                          Entropy (8bit):5.522767465825831
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:3urhT5+KybRpnE8K74kca7NerB8iXpYmRRXvdi82BSOe9oKSJ2SLD0BEZWkAzrF9:w+KY04RMmSCYmBiF4O7WTn8K/CI
                                                                                                                                                                                                                          MD5:2CC3AC572A2170108BABD019F0BFE779
                                                                                                                                                                                                                          SHA1:AF962245CE32D5801A380FF7F6B8C87AC7772AB2
                                                                                                                                                                                                                          SHA-256:755315DFCC9C72CBE4EB33AF34E9AAC0BD1324C6942F4B56AD9FE0135E1A9299
                                                                                                                                                                                                                          SHA-512:891D545DDF35BF8C650FE8EB48A5E5F6F7C50036E42BE893417AF2EF886EB37C5BEEE9DD838A8F020728E4BAE803F2753CC8F6DD7958DD31B5B39DAED7EF464B
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L..."..."..."....."......"......"...#.S."....."..`\..."......"......".Rich..".................PE..L...#.pK.................l..........Td.......................................P......0a....@...... ..........................lm..........p............0.......@...... ...............................0...@............................................text... j.......l.................. ..`.data...4............p..............@....rsrc...p............v..............@..@.reloc.......@.......&..............@..B........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\tapinstallWin64.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):93832
                                                                                                                                                                                                                          Entropy (8bit):5.485112927422894
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:fP2K0pa0WfEYp9Y/XQhpgnbP212YCJpDhiF4O7WGkK/CH8:fePOYe4bu1epDh8RWGkK/b
                                                                                                                                                                                                                          MD5:8E7EE7C3876683902475753519681407
                                                                                                                                                                                                                          SHA1:75FACB7F9C59B284F97956E799E57FB0F606C49D
                                                                                                                                                                                                                          SHA-256:6D5041A8EF796C66BA151D8FCFAFDD96BCAA99B57D2777897FD25A87A5E41E13
                                                                                                                                                                                                                          SHA-512:523EBF3A4DF9F6D299E72079DEF0A0DA9127601796D9AA613B70AD2F66EE2166F4F8F75083F47E67FFFD892A09FA437F3B12BD1B27065200E90F8617E3E83727
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X...9...9...9...AF..9...AW..9...A@..9...9..f9...AP.9...AY..9.......9...AG..9...AB..9..Rich.9..........................PE..d.....pK.........."......~...........s.......................................p............@.......... ......................................X}..........p.......T....@.......`......0................................................................................text....|.......~.................. ..`.data...x...........................@....pdata..T...........................@..@.rsrc...p...........................@..@.reloc..p....`.......>..............@..B................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\texture_rgba_renderer_plugin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):323472
                                                                                                                                                                                                                          Entropy (8bit):6.260791393809843
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:xadPqy3/nKyWFZS3PCmxiVvUTiJ+1I2hWHlHTkPXdxs4:wqyAA3PCmwV8i41I2gHlHTkvdW4
                                                                                                                                                                                                                          MD5:128D06B8C5739F35A7C76A76BF1E6149
                                                                                                                                                                                                                          SHA1:901F9698BF4C4A10E8E902E6DBDDF1782E1067D0
                                                                                                                                                                                                                          SHA-256:BF585DBC4E4DCE47F9EFDEEAD15F67A69644CE6F1177CEEC518882DC85ECC096
                                                                                                                                                                                                                          SHA-512:ECE9254486347751D6F68AE86AFB36508FED81B00C4588F555DB584A0E9DE5F4710A24E6BB5B2B19A25BEE20AA4BF90068F9EB2E37B48271614B6C97199E419C
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x.........................Y...........>w......>w......>w..............<...........u....p.......p.......p......p......Rich............................PE..d...Y.wf.........." ...(.............5....................................... ............`..........................................t......0u..<...............L/..................P...........................(.......@............@..P............................text...0,.......................... ..`.rdata...B...@...D...2..............@..@.data...X6....... ...v..............@....pdata..L/.......0..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\uni_links_desktop_plugin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):543632
                                                                                                                                                                                                                          Entropy (8bit):6.3781262731970685
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:zqzF5VH24Jy+0PeZOYbxobw+QY0heC9lVNLETyoK:zqh32SRoc+QY0n9lVNLETbK
                                                                                                                                                                                                                          MD5:94267176E212B8EBFF06728CC6C3F432
                                                                                                                                                                                                                          SHA1:F65313083C2B3177F405B7AB884BA0A9BE3251D9
                                                                                                                                                                                                                          SHA-256:08D08CBFA4D5531CEEE16BFCB2255EDA79C5B7F7C0894C4E6F49F673457AB362
                                                                                                                                                                                                                          SHA-512:014459C9D3DBE7C09E0D6DB085CE9F715248BA6D784845339B2D6896A8BA7B680C93E707D4990350E30C8853A95FD0DC6F8E9244643787DB65AB8A2F95C26967
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W..6..6..6..XF..6..XF...6..XF..6......6......6.......6..XF..6..}J..6..6...6.....6.....6...O.6.....6..Rich.6..........PE..d...~.wf.........." ...(.....4......L.....................................................`.........................................p...........d....p....... ...B...0..........................................(...p...@............0...............................text............................... ..`.rdata.......0......................@..@.data....J.......2..................@....pdata...B... ...D..................@..@.rsrc........p......................@..@.reloc............... ..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\url_launcher_windows_plugin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):323472
                                                                                                                                                                                                                          Entropy (8bit):6.24323878406639
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:aK/qrBUA8kikYQQ2sXvNnot1bdNtb1lHSdrkjoE:a8qC5kikpQX1ny1bdv1lHSdYjoE
                                                                                                                                                                                                                          MD5:BFEC2012B6589D4496EA0283E90A5269
                                                                                                                                                                                                                          SHA1:813E3FAD5CFE4A30E20F05080D106811C5544FA3
                                                                                                                                                                                                                          SHA-256:F9406ECAA9C86F2946F8B9D997F0210F1F5EE974BE6548D1DB039014D1B45552
                                                                                                                                                                                                                          SHA-512:396F28EB15ED793DB453CD3B3E9118F4386FE24A75E3F3914E881CCA3ADA8918B98751BDAC51C4A5E897CCA1E700B2A545686463A6B0DD6719EA172682CFB928
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`&..$Gt.$Gt.$Gt..7w.!Gt..7q.Gt..7p.4Gt...w..Gt...p.*Gt...q.iGt..7u."Gt..;u.'Gt.$Gu.\Gt.7.q.#Gt.7.t.%Gt.7..%Gt.7.v.%Gt.Rich$Gt.........PE..d...^.wf.........." ...(.*................................................... .......7....`.........................................@x..|....x..d...............P...............................................(.......@............@..x............................text...@).......*.................. ..`.rdata...F...@...H..................@..@.data....6....... ...v..............@....pdata..P........0..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\vcruntime140.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):99976
                                                                                                                                                                                                                          Entropy (8bit):6.499161413646961
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:yWHL+4KsAzAfadZw+1Hcx8uIYNU5U9H0Q8ecbjt1BHK/CeS:yWr/Z+jPYNV9H0Q8ecbjt1BHK/pS
                                                                                                                                                                                                                          MD5:85054BAF6D0A7D31A18183ACC4CBA133
                                                                                                                                                                                                                          SHA1:24830C002FFAB31102DFB674B52AFFD74E90E708
                                                                                                                                                                                                                          SHA-256:EC86F182F55A338E26F598638F18422E474C6D6C651E1D9955D0303254BF6DDD
                                                                                                                                                                                                                          SHA-512:B6B7D9115ED1D734D7C0EB09E7C7C96EEC29E2C59B8943586976F2182E46B660B99C1947ACF2C1DEB75595771A78B7405FDDBB989A2F06CF88E4AD3D8824055A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."<..#o.."<.g"o.."<..#o.."Richn.."................PE..d.....`.........." .........`......p................................................>....`A.........................................B..4....J...............p..X....X..............h,..T............................,..8............................................text............................... ..`.rdata...@.......B..................@..@.data...@....`.......@..............@....pdata..X....p.......D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\window_manager_plugin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):589712
                                                                                                                                                                                                                          Entropy (8bit):6.371606969587959
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:Qnu0YqCbnvh0xDqjFR0NdzhdkPJZIR0vnrXkcc9VNLqYWTF:Qu0YqInZCD7mZI0vnrPc9VNLqYWB
                                                                                                                                                                                                                          MD5:EAB165F7A1856FC4FC191416A26F20F3
                                                                                                                                                                                                                          SHA1:3E3BAAA9A8AE20680D4B347A3A65E4A388DC0F4D
                                                                                                                                                                                                                          SHA-256:A2C87DFE4D43C7CC8AC44F2AC43BD45EC4F3F6BA87A2C73AE8B55F26286600E9
                                                                                                                                                                                                                          SHA-512:897E0F107BEB1FCC6402183C535F2550E954B379451415E8B40403D0575EFA6E1D1373F9F0B9A0649AB09515259490C7BFB9E9926F76735EE513F68460FB5143
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:q..T"..T"..T"..W#..T"..Q#W.T"7MW#..T"7MP#..T"7MQ#..T"..P#..T"..U#..T"5.U#..T"..U"T.T".JQ#..T".JT#..T".J."..T".JV#..T"Rich..T"................PE..d.....wf.........." ...(.....P.......8.......................................@............`..........................................\..x...8]....... ..........tF...........0......@...........................(.......@............................................text............................... ..`.rdata..2...........................@..@.data....C.......,...^..............@....pdata..tF.......H..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\window_size_plugin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):539536
                                                                                                                                                                                                                          Entropy (8bit):6.374120901700144
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:F2qV/eGvVJVbhqs7MRkPXpaCLz9gS+f/9VNtP8zC:F2q9rVJeMp1Lz9gj/9VNtP8zC
                                                                                                                                                                                                                          MD5:7024D49DF9315B5718F40FCD29A8656F
                                                                                                                                                                                                                          SHA1:EF243D1EC09F2FB714459D596F40A87B5B51C054
                                                                                                                                                                                                                          SHA-256:51877E41297AE94FE33D01D980717AE18938A3E81A32C57ADC77D754EF7E66BE
                                                                                                                                                                                                                          SHA-512:D9B7661B923B45020641F80A4695079A86F92848A022C8374C9339258A3F63D628000628CF75163B7C707A8506BB4D4928A1EA75E09FA6416EB9A2150EB5B705
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k....m...m...m..zn...m..zh._.m..zi...m.?.n...m.?.i...m.?.h...m..zl...m.=vl...m...l.}.m..h...m..m...m.....m..o...m.Rich..m.........................PE..d...`.wf.........." ...(.....&......<........................................p.......N....`.........................................P...p.......P....P..........<B... .......`..\...P...........................(.......@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data....B.......*..................@....pdata..<B.......D..................@..@.rsrc........P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Resources\wireguard.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8184456
                                                                                                                                                                                                                          Entropy (8bit):6.15917051663501
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:98304:AD3K0YyOAYcd0ZLpNu6JmM1W8YcTpOG7ZE78O:ALzUwsFYc9OG7ZE78O
                                                                                                                                                                                                                          MD5:5850A25689FA1B36CD6B76E2E7F6BDB3
                                                                                                                                                                                                                          SHA1:299CEBD4CD448239BF5094DCC0632100287C0B85
                                                                                                                                                                                                                          SHA-256:803870B4FCC1A8C0675EE1D5AA5DEB4132514974CDF0F8F7BA40035377FFDCFA
                                                                                                                                                                                                                          SHA-512:F64A196D0FE937112604D7B0CFE2099928987ECEAA650728C88ECE9BAEF288AF2E4BCDD52D3199D8787290F5071287DAFA5DC6FD44775E52CA1E04237411888F
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d.........].......".......'..........=........@.......................................}...`... ...............................................c.|.... d.t.............|...... c.....................................................`SY.@............................text.....'.......'................. ..`.rdata..PC1...(..D1...'.............@..@.data... ....PY......0Y.............@....idata..|.....c.......\.............@....reloc....... c.......\.............@..B.symtab.......d.......]................B.rsrc...t.... d.......].............@..@........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\SQLitePCLRaw.batteries_v2.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):22184
                                                                                                                                                                                                                          Entropy (8bit):6.685941492131545
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:1hKpVrz0BH8aZqmgBTKDAATaYIYikfF0FP27NBY3Yuv+8N:1hKpVcB15KO7aBYimOK/Y/+g
                                                                                                                                                                                                                          MD5:AAA9DA932D572F5B22CBEE1B4E479ED6
                                                                                                                                                                                                                          SHA1:D708727DED1298610C2E3D72C8792F12FC60CFF2
                                                                                                                                                                                                                          SHA-256:73B55714DB609A1712FD4FC420CE18441E41BB7E3E94D73B11AE28C68CCB1124
                                                                                                                                                                                                                          SHA-512:40A8E2CB18FB2D68F0945B6FBF259FA9331327116A6D21A85AAE6AA12600F7FDD3737B5E84E0AE04C584442016882926D9201E16C25EB937838C8BAC24358779
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0.."...........A... ...`....... ...............................6....`..................................A..O....`..`............,...*...........@..T............................................ ............... ..H............text...."... ...".................. ..`.rsrc...`....`.......$..............@..@.reloc...............*..............@..B.................A......H........'.......................@.......................................(....*..0...............(....o........(....s....*...0............(.......(....s....(....*6r...p..(....*.0.._.......s!.....s....}.....{....r...p.r'..p(....o.........."...s....(....%~....(....,..{....o....s....z*..0..#.......(......-...(....*..3...(....*s....z...(....%~....(....,.r=..p.r'..p(....s....z*..0..#.......(......-..(....&*..3..(....&*s....z..0..7..........~....%-.&~..........s....%.....(.........

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\SQLitePCLRaw.core.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):61608
                                                                                                                                                                                                                          Entropy (8bit):6.287396747644481
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:SmOGveifSTtyXEQ3nPGLb4PFvSMJCD2j+/IfHq1wJd9P581Icm/DskdFPYi3K/Ye:yLTtyXEQ3+bO6U+QlrPi1QLsgFP73K/h
                                                                                                                                                                                                                          MD5:A760AEACBE049C8C0D5DD66DD9EAA7A0
                                                                                                                                                                                                                          SHA1:975896722F2D5A365621EE407ACE3E3294CFC1C3
                                                                                                                                                                                                                          SHA-256:C3618538771839CBC6A855E41A1664D5B86313070FC75CA1B58EF74D007DBDE4
                                                                                                                                                                                                                          SHA-512:64CF42CF493686A4286320819D10A37CC075088509866E867A341651B7762FFD88750417E3AD72E6FA78908DD17C66363752E5AA2955066BA4930889D36AE3CA
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b..........." ..0.................. ........... ....................... .......L....`.....................................O.......0................*..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................H.......@@..<...........|.................................................(....*..(....*..(....*.......*Z~....,.*.oB...&......*.......*b~....-.r...ps....z~....*.(#...o8...*.0..........(#......o9.....(....Q*6.(.....(%...*.0..........(#........o:.....(....Q*R.(.......(....('...*:(#......o?...*N.(.....(.....()...*2(#....o;...*2(#....o<...*..o....*..o....*2(#....o=...*2(#....o>...*6(#.....o....*...0..........s"......}"....{"...-...+....#...s.......(1...*6(#.....o....*6..(....(3..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\SQLitePCLRaw.provider.dynamic_cdecl.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):75432
                                                                                                                                                                                                                          Entropy (8bit):6.020201057914009
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:mjb2NmqeZsE64aEKbMsZG0EN3ovewf8KnWE7LJ/ZEBiUN7TK/P:mjbUmqWL3M/WkV2ZNHK/P
                                                                                                                                                                                                                          MD5:8DC8D595216B1D7703575B77282F7147
                                                                                                                                                                                                                          SHA1:5FBA510AB9D9677B5AF28757BFCFC3E6EE3228F5
                                                                                                                                                                                                                          SHA-256:7A8833790323071279C55854F35A1A802BF5D5766CABCFA381889460F95D5864
                                                                                                                                                                                                                          SHA-512:F1E79E49CF5F10C9BC88D2AAA078FABD772027360A8C9692334AC3BBCDFEEDD93C2C6234F4DE6C6B4AFBD443FD6315633FE8943229EE0CB8CA6A6F29C2AE97EE
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e.Z..........." ..0.............".... ... ....... .......................`......E.....`.....................................O.... ...................*...@..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......pG...................... .......................................6.......(....*.~....*F~J......o.......*N........s....o...+*..0............(........~......o2...*.0............(........~K.....o....*.0..%.........(..........(........~L.......o....*....0..H.........(..........(........~M....o.............(....(.........{........o....*2~$....o....*2~#....o....*2~H....oz...*6~I.....o~...*:~J......o....*2~%....o....*2~&....o....*>.(.......o....*...0..N........,........s.....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\FastestVPN.Common.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):70824
                                                                                                                                                                                                                          Entropy (8bit):6.236705505937758
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:dMDv5NwVvDK0HBDk4rVHe061i/kObvmaLLJBr+tTB7sK/T:SorK0HBDk4rV21HObvm2LJB4BAK/T
                                                                                                                                                                                                                          MD5:F7543F2749BAB00FB981A41BE19734F8
                                                                                                                                                                                                                          SHA1:8BE0A90C7C011EEF0A775A518F2A29CE4AB035AA
                                                                                                                                                                                                                          SHA-256:634CD208B4FE8DB050AC7D782CB953D51E266B62369F0F80B0CF9D10D077A76F
                                                                                                                                                                                                                          SHA-512:160FBEB4AE704D00800656274B7680003C64559867ACEFB9274A23A1AEE45A145254E66DF423653CC3776A2FFA2A4F98BA93510109CF9963AED4CEBA2913A106
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... F..........." ..0.............J.... ... ....... .......................`............`.....................................O.... ...................*...@......D...8............................................ ............... ..H............text...P.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................,.......H.......0<................................................................("...*^.("......I...%...}....*:.(".....}....*b.{....%-.&*..s#...o$...*.0..)........{.........(%...t......|......(...+...3.*....0..)........{.........('...t......|......(...+...3.*..((...*..{....*"..}....*..{....*"..}....*..{....*"..}....*2.(....s)...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..((...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..((...*..{....*"..}....*..{

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.InstallLog

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe
                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1685
                                                                                                                                                                                                                          Entropy (8bit):4.793020246491965
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:LLVFOGbexvLxcESrKFR8v4rUKtr4DsVZd+LJ0I6YIXjf8bLVFOGblLQM9XIxkKxV:0VNcVrYR8grUOIsX5I6vXapIKKbv
                                                                                                                                                                                                                          MD5:92C0400BF8CDD574F669E40B8D0C2BAB
                                                                                                                                                                                                                          SHA1:3EB5155763A3A204982D4231C7E882DC91F0016F
                                                                                                                                                                                                                          SHA-256:FDC8BFD5790E64F7DE5425BBA4C80A2E8F1648EE037D9A2B61070A8565B12A4A
                                                                                                                                                                                                                          SHA-512:9698839D57A4E3A34BA24CB4BDD6CACF97695748089448AC259CD939D952DF395C82A83E260CF75F8004FE33561E1365CDA1AF1C2DC70F63E28E6EA7403CED0D
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.Uninstalling assembly 'C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe'...Affected parameters are:.. logtoconsole = .. logfile = C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.InstallLog.. assemblypath = C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe..Removing EventLog source FastestVPNService...Warning: The source FastestVPNService is not registered on the local machine...Service FastestVPNService is being removed from the system.....An exception occurred during the uninstallation of the System.ServiceProcess.ServiceInstaller installer...System.ComponentModel.Win32Exception: The specified service does not exist as an installed service..An exception occurred while uninstalling. This exception will be ignored and the uninstall will continue. However, the application might not be fully uninstalled after the uninstall is complete...Installing assembly 'C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe'...Affected

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.InstallState

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7466
                                                                                                                                                                                                                          Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BeUanDtEx6vU4ZPn/R++JDrk:NexdYX7OqWovsx1EvsrJ
                                                                                                                                                                                                                          MD5:FFB29BD88BD23C639985F1D369DBD1CA
                                                                                                                                                                                                                          SHA1:F0AF5F803F59668AD52EA4B212A1CDE00DD5FE14
                                                                                                                                                                                                                          SHA-256:1ADB4F9D1D152E018246A0A2762B473D910906340207F57D3F8CE1097E1DE09F
                                                                                                                                                                                                                          SHA-512:1C12CF185691EE3D44A8522665F6AD20F41A4EE9C5A758B8DD2ABF7CC8F5F863F5CF5CB919BADFCDEE40394A89DA2C9A9601B93FB01B867932FAD4C03932B94D
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):25768
                                                                                                                                                                                                                          Entropy (8bit):6.588649497011045
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:RYTtf+jLXlZfCd8RzDiFrlwkmGWUlupd0IYisq+i0FP27NBY3Yuv+42r:RYpKjlZfC6Fqg7FYiQ7K/Y/+42r
                                                                                                                                                                                                                          MD5:22D4E4267DFE093E5E23C2F3D7741AA4
                                                                                                                                                                                                                          SHA1:AB18989C4442EB204528E64B18000E8E02FA2C50
                                                                                                                                                                                                                          SHA-256:4E296E9B159F5D64E6E71821C9C06260AC02EBB424823ADA64E97DFD418C3CA1
                                                                                                                                                                                                                          SHA-512:7F6D1228F93E454477E3C4250D1D0C78995DE8D9AE07FA585DC8BDCBB4A1046338B66BEFE0BD9BF63F61085657F7080A1C6350403292E484F047F9ED791EF43B
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._S............"...0..............M... ...`....@.. ...............................0....`..................................M..O....`..,............:...*...........L..8............................................ ............... ..H............text....-... ...................... ..`.rsrc...,....`.......0..............@..@.reloc...............8..............@..B.................M......H........(..H#...........L................................................{....*"..}....*6.(.....(....*..0..g.........(....... ....0.. .....0. .....". .....&*. .....#. .....!. ......*(,...*(-...*(....*(/...*(0...*(1...*..0..J.......(....(....-.(....(....&~....r...p(.....(.......1.~......(....(......(....*Z(-....(....%-.&*o....*....0.."........r...p..(....(....(....(......&..*...................0..#....... F#.....+..(....-..*..X...X....2..*..0..1.......(....o......,...-..*..+.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe.config (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1327
                                                                                                                                                                                                                          Entropy (8bit):5.042117116126737
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:JdArztW1oF7Nv+pvH2/+jSLVhOXrRH2/dVv+BvH2/+jSLVtvH2/39y:3Arzcq7h+Fg+mL27Rgdp+dg+mLPg3w
                                                                                                                                                                                                                          MD5:E40244BE7715300DC4BA229C25237728
                                                                                                                                                                                                                          SHA1:F9D299542C616D860D495CE59A6FD2B90907B2E5
                                                                                                                                                                                                                          SHA-256:AE5027694FF0D363F757F112162AC8D49550826872C9A5B2BA67A75F56109C4D
                                                                                                                                                                                                                          SHA-512:CBEA4111D0A2D8BB5FF5AD631728C85A38668C6D470AB8A4D59D5334B9309EF34125E9A9F70EA942113212D5B1FD5EABF9DF860F9112B52D55C95EE32BB8721A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />.. </startup>.. <runtime>.. <legacyCorruptedStateExceptionsPolicy enabled="true" />.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.Owin.Security" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.2.2.0" newVersion="4.2.2.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.2.2.0" newVersion="4.2.2.0

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\InstallUtil.InstallLog

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe
                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1004
                                                                                                                                                                                                                          Entropy (8bit):4.743456157396208
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:0wL/mMAGQOhPs43XVwL/mMAG8ipNVewL/mMAGbNXpsgOhn:0LTqnVLh6eLY5c
                                                                                                                                                                                                                          MD5:FB8F7A7B8FD8826568D2DEE10D1C9AC1
                                                                                                                                                                                                                          SHA1:D59BBFA7ED11D7044716AD555C4618824133A06C
                                                                                                                                                                                                                          SHA-256:B3C7D69A8763580BB1B0978B8C87FED4E1C8C9934497451D3D813B46B3F8A3F3
                                                                                                                                                                                                                          SHA-512:9DE3C7198F3C42227B9DE16246C189DEF584F51B2A17D210D3ED37346BD7B32989B5CB4F26F548E8FD3C88B166F6FBC1BB3A1DA1A35E83DE417ACC0F4A624485
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.....The uninstall is beginning...See the contents of the log file for the C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe assembly's progress...The file is located at C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.InstallLog.....The uninstall has completed.....Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe assembly's progress...The file is located at C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe assembly's progress...The file is located at C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.InstallLog.....The Commit phase completed successfully.....The transacted install has complete

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\Microsoft.AspNet.SignalR.Core.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):347016
                                                                                                                                                                                                                          Entropy (8bit):6.2576059322299855
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:+h0+XUaITFNwVI1ZdMfWsaYi3am2Wt6hn7UQjva9v:+u+XUTTvvndMfv64oQu
                                                                                                                                                                                                                          MD5:F4B5415B6C9EC38B073779A034421747
                                                                                                                                                                                                                          SHA1:DADEC8724A898C84A9F52A86A5D0ACFA71758341
                                                                                                                                                                                                                          SHA-256:2672829713F57630F2FC4DA57926456DDA7832F0E0F474F06462D2340B4DC4E3
                                                                                                                                                                                                                          SHA-512:82C58B9061CB8B4603B88AB69CD43461A886029AA7CE1A1ADB614F07EEE90FA979F7CC524272D6A494BADC79254906182DE5A90BF992E48160CA5C3DBE57C334
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U=............" ..0..............<... ...@....... ....................................`.................................z<..O....@...............(...#...`.......;..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................<......H.......$....m..............H(...;........................................{0...*..{1...*V.(2.....}0.....}1...*...0..;........u......,/(3....{0....{0...o4...,.(5....{1....{1...o6...*.*. .... )UU.Z(3....{0...o7...X )UU.Z(5....{1...o8...X*.0...........r...p......%..{0....................-.q.............-.&.+.......o9....%..{1....................-.q.............-.&.+.......o9....(:...*..{;...*..{<...*V.(2.....};.....}<...*...0..;........u......,/(3....{;....{;...o4...,.(5....{<..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\Microsoft.Owin.Cors.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):24976
                                                                                                                                                                                                                          Entropy (8bit):6.836703429014385
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:STg0otikxUoOHLLEzFzd7h8NTif2+3mJJWg/0W2yHRN7OBu1x85zR9zphght:SwtLUoOrud7hqE2+3mdYuz109zpc
                                                                                                                                                                                                                          MD5:5E8C253B1394C1E6E396A939C9FC9068
                                                                                                                                                                                                                          SHA1:6AE721F34E256FD90A99617BA19040D45FF6A41F
                                                                                                                                                                                                                          SHA-256:4B1A93C57580BD0F304B214EAA3C451272821ACAFC6A0EAE34976606030E0D69
                                                                                                                                                                                                                          SHA-512:22CCA8638EF56059A9DE79289D3EB8289F0774579059C6785B08D08229E366BC8E9FA591EAAFBB4F2952FF7627D1CA0AB180C2B82555BA9C4BC8806F837F478D
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l?J..........." ..0..0..........^N... ...`....... ..............................L.....`..................................N..O....`..(............:...'...........@..p............................................ ............... ..H............text...d.... ...0.................. ..`.rsrc...(....`.......2..............@..@.reloc...............8..............@..B................@N......H........&..,....................@.......................................0..T........(.....-.r...ps....z.-.r...ps....z..}......o....%-.&s....}......o....%-.&s....}....*.0..?.........(....}.......}.......}.......}......|......(...+..|....(....*..0..%............(....,...(.....{.....o....o....*....0..I........o....(....-%.....(....,..o ... ....o!.....(....+..o ... ....o!....(...+*v..{......o#...Q.P,..Po$...*.*..0..M........o%.....,B.o&....+%.o'.....o ...o(.....().....(*...o+...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\Microsoft.Owin.Diagnostics.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):166800
                                                                                                                                                                                                                          Entropy (8bit):5.092225196099469
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:JtayaXxHE9B92Pqg6/rKvXkZ5QwupmY6jCPL:yqNDKvUZZkVlL
                                                                                                                                                                                                                          MD5:2839920AD2E9C4B08F97715D88586056
                                                                                                                                                                                                                          SHA1:88F7544BF59DDD40E3C934C938A20164F3B518F1
                                                                                                                                                                                                                          SHA-256:A655B1BC143B918C6F31B52AEA2726C131F474B70BF7E2DDF36FE48B1E6E279D
                                                                                                                                                                                                                          SHA-512:E26A141021648398F109B41275154FDFCF139845466C9A37E80A1AD43725D914FD574F59706AD68404555BCB36490CB307E7E0C9158A8B8E94F97CB93E4C0F37
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..Z...........x... ........... ...............................b....`..................................x..O.......8............d...'...........^..p............................................ ............... ..H............text....X... ...Z.................. ..`.rsrc...8............\..............@..@.reloc...............b..............@..B.................x......H........R..............|S......D^......................................j.-.r...ps$...z.s....(....*..0..Y........-.r...ps$...z.o%...s&......r...p(...+.r+..p..((.....(...+........%...%...%...>....(...+*..-.r...ps$...z......(+.........%...o,...*N.sD...%.oC...(....*b.sD...%.s-...oC...(....*2.sD...(....*....0..C........(.....-.rC..ps$...z.-.rM..ps$...z..,...o......}......}......}....*..0..?.........(/...}4......}5......}6......}3.....|4.....(...+..|4...(1...*j.{....,..{....r]..p.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\Microsoft.Owin.Host.HttpListener.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):101776
                                                                                                                                                                                                                          Entropy (8bit):6.519631245398067
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:+iE88BMo5Gv8yIu8mRfXU5i8Ubd0L1nDmNxk3NUXwPrSMk7+W+shzS0ICpL:+iE88BMo5Gv8yIu8mRfXU5fUbd01mNxV
                                                                                                                                                                                                                          MD5:58D1267BAFC9E0D9531D7C97A08A3A68
                                                                                                                                                                                                                          SHA1:1EC6E26D9E71D1CB5C885879CC8F6D3762DC5FD6
                                                                                                                                                                                                                          SHA-256:34FB96B4CCA40AC4312E36E3310EACC2C13F2562BAAB7FFE836060965B7AD579
                                                                                                                                                                                                                          SHA-512:E6A6EDE57B59CB675D869D1B5BD43C67C864363CE7168538ABB048F911783181546F7CBFEB29EE49EEC21291EEBD442E3BA9819967F8ABE3AD00AC33C94A3620
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c=..........." ..0..\...........z... ........... ...................................`.................................Kz..O....................f...'..........<C..p............................................ ............... ..H............text....Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................z......H..........,............A.......B.......................................0..............o+...-..........*......*.0............(...+..-..........*..(...+*....0...........(,....s-...}......}/.....}2........(....r...p.$o/......5...(....r+..p.$o/...}1.....(0...,..o1........(....(2...,....{/...o3...t....}0....{1....(4...-..{0...-..{2...rI..p(....*.0..D........{1....(4...-..{0...-.(5...*.{1....o6...o3....l......(........o6...*.0...........{.......o7...,..*..(....*...0..........s8..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\Microsoft.Owin.Hosting.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):80784
                                                                                                                                                                                                                          Entropy (8bit):6.644018601476374
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:hwe4Dxq2afEZznigIM8U/w2ZAfiQ922f5qj1NrVuu26zmb:h54DxLaQAOw2C7922i1JVN6b
                                                                                                                                                                                                                          MD5:056A3B1C036A46447EBCA7083DA271A5
                                                                                                                                                                                                                          SHA1:8044FD37E124DF9BAFCE4311DB66D6B931120006
                                                                                                                                                                                                                          SHA-256:6BEDFFF38EB390D01F0D51340B7B4F8F7B3D1C1C6CEE8888C0A8088EDA19283D
                                                                                                                                                                                                                          SHA-512:3399C06120F32219D611D976D778654A2628AC5BA0FA778512FE1101EE461663C5D5819ED5EECF90363F70E69108F5DAA1A3E71E81BB7F9F635AED8908997852
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............(... ...@....... ..............................M.....`..................................'..O....@..(................'...`..........p............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B.................'......H........[..............................................................*....(....**....(....**....(....**....(....*..(&.....%-.&(....}......%-.&...'...s(...}......%-.&s....}....*j...(....%-.&.{......o)...*...0..........s........%-.&~*.......,(...+-....(......-..(,...-....(......-..*..o-...}_....o....(,...,.r...p+..o........{_.....(....}`....{`...-..*.......s/...*...0.............(......-..*.o0.....o1.....(.....(...+o.....+w.o..........o3........(4...,/.(5...(..........%...%.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\Microsoft.Owin.Security.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):65960
                                                                                                                                                                                                                          Entropy (8bit):6.704364809732977
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:qC7HwuzTT2IiiiiHnt7qMkPFb5NMBFv8n+nwfqw9ScubQyvz8:LTT2IiN09yPFbwBFyysqhvQyvo
                                                                                                                                                                                                                          MD5:3B6AD220174768E52510D449C7A5C817
                                                                                                                                                                                                                          SHA1:E76CB664268F45939A0A604E31CAB3DBE957510A
                                                                                                                                                                                                                          SHA-256:294A04A1305277ABDF2539649F8A7909DAC57ECF61F223600227BC1CDED6E2DC
                                                                                                                                                                                                                          SHA-512:43852FA0F4FD12967DAAF81613FF3C52EAD432F39E579E1C5C834595881A9E6AC156BCE326CEE3EB78D11D81AD33792870D31F81D7737483CF36636DB30DFCF1
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... .......................@......=.....`.................................e...O....... ................'... ......`...p............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........H...u..............X............................................0..>........-.r...ps....z.o....r...p..o....,..uW.....(....-..*("...s....z..-.r...ps....z.-.r...ps....z.o....r...p.o ...*..(!....s"...(......(......(....*..{....*R..}.....(.....o#...*..{....*"..}....*..{....*"..}....*z.(!.....(......%-.&s$...(....*..{....*"..}....*..{....*"..}....*..(!....-.r...ps....z..(%...s&...}.....{....o'...-.r...ps(...z*....0..g.........,..*.-.r...ps....z.o)...o*..../..*.o)...o+....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\Microsoft.Owin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):122256
                                                                                                                                                                                                                          Entropy (8bit):6.572766216409801
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:nU40ONP+ki9jNhepTRIvy2V7iOHckTTv0c7tSuagvcCy:ShenI6w7wk0Sq3
                                                                                                                                                                                                                          MD5:C24CF68C9012B4E261D2FD6B2240BBE8
                                                                                                                                                                                                                          SHA1:45844AE139DB45652AAC12E1D6EE138ED709E261
                                                                                                                                                                                                                          SHA-256:42ED395C54526DAD6AA275CA2A65F6DE6E94BC8CEC8548CFB9891BA430FF1974
                                                                                                                                                                                                                          SHA-512:DDF7872EB70E9546D28A209A562C873BA9E9402AD600C3D44ACD425FC7337C19B581A8C06F8BAD5987B36EF82895AAD0DA48CBC7E0E64886CD0EB7C9884FFA4D
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*0..........." ..0.................. ........... ....................... .......$....`.................................k...O........................'..........0}..p............................................ ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........................u.......|........................................-.r...ps(...z......()....o*...*..-.r...ps(...z.-.r...ps(...z.......%...(...+&*..-.r...ps(...z.-.r...ps(...z.......%...(...+*...0..^........-.r...ps(...z.-.r...ps(...z.-.r-..ps(...z.(+...-..rI..p.o,...,.(S...r...ps-...z..s.....(....*...0...........-.r...ps(...z.-.r-..ps(...z..(....,$..(....rI..p.o,...,.(S...r...ps-...zs....%.o............%...(...+..o.......o/..........()...o0...t....o.....*...0..s.......

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\Newtonsoft.Json.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):711952
                                                                                                                                                                                                                          Entropy (8bit):5.967185619483575
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
                                                                                                                                                                                                                          MD5:195FFB7167DB3219B217C4FD439EEDD6
                                                                                                                                                                                                                          SHA1:1E76E6099570EDE620B76ED47CF8D03A936D49F8
                                                                                                                                                                                                                          SHA-256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
                                                                                                                                                                                                                          SHA-512:56EB7F070929B239642DAB729537DDE2C2287BDB852AD9E80B5358C74B14BC2B2DDED910D0E3B6304EA27EB587E5F19DB0A92E1CBAE6A70FB20B4EF05057E4AC
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O......................../.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\Owin.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):15528
                                                                                                                                                                                                                          Entropy (8bit):6.93175318343703
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:KKE4Nl+ACIYiYF80CX+0tvTS8hFP2bnNr/ZyGMLBVYvmvVKNFUK:ZE4OhIYifS0FP27NBY3Yuv+n
                                                                                                                                                                                                                          MD5:ADF6FCD8199E4DA7F52FBEBD9D9496D7
                                                                                                                                                                                                                          SHA1:17E7E444AB035AE759D3B0E48928B7D23CEC3682
                                                                                                                                                                                                                          SHA-256:C1AF49ACF4E6E9B77C025405CB31E6493F4A9A0080AE48381CE3B36EC5E1D76E
                                                                                                                                                                                                                          SHA-512:72F42DC40B2B1B9C25F0B4BC6E18BCE4B9F144A39442B05E5DF6FB792EA1F5E0645E5CF6251918AF0D81316437982ADBE6892992E4F4323CF48C84A6B08FD809
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f.P...........!................N)... ...@....... ....................................@..................................(..W....@...................*...`.......'............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0)......H........ ......................P ......................................-.N...._J...a.w~.{...I..}.B.;=.XT.Jh.;.(f.eU/@r.. .......g...^......{i....h]..A,};......g..4..bb.....(..S).]..Ol.[..r....C.BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob...........G.........%3................................................................H.-...p.i.....i.....................8.....W.......p.....p.................i.......;.$...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\System.Web.Cors.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):28648
                                                                                                                                                                                                                          Entropy (8bit):6.283743404391549
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:vPYMDLxA6GikwBUGkXkFmDKAsIh5V7L5XWmzWNsWtyHRN7XZj05seyR9zHA:vgMmZ1dUdGZSDuXZj05sN9zg
                                                                                                                                                                                                                          MD5:9FFF1DA4E481028262E27AEFD7C0EFF4
                                                                                                                                                                                                                          SHA1:B0128E42E3CE3C295C48461A651AF99D95B5A04D
                                                                                                                                                                                                                          SHA-256:3FDB918CC5F1E5F1FA9C155DC68AAFE10A16C73ED934C06B201ED94070EA985D
                                                                                                                                                                                                                          SHA-512:6B02B873C4092BFE3C2D8428093696E94C6021DB9D6FA8740E79DF7C6C5208229ED7AE8A62E96597EEEF348956BC6AB79375292B6456162F78D332E3830B75EC
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P^.b.........." ..0..>...........\... ...`....... ..............................c.....`.................................x\..O....`...............H...'..........@[............................................... ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................\......H.......(-...+..........8X.......Z........................................(.....s....(.....s....(.....s....(.....s....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*..0..1..........j...(.........(...._,.r...p(I...s....z..}....*..{....*"..}....*...0..p.......s....%r...po....&%.(....o....&%r/..po....&%.(....o....&%rU..po....&%.(....o....&%r{..po....&%.(.......(....-.r...p+..(.......(.......( .

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\VPN.AdvancedNetwork.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):35496
                                                                                                                                                                                                                          Entropy (8bit):6.3718937380199785
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:PS78zRHlzbzaxUxU7y7y7y7S7CxUxU7y3K7yTyTTN77xNTOLSxY777DKoRREEK7/:PS7DOOqf1RuhC5v7YK/CW1
                                                                                                                                                                                                                          MD5:D438F337397A4CB3CA4E87F70BC4B4C0
                                                                                                                                                                                                                          SHA1:FB6FB592744E34BA9B8B9E2B05F6D9C0C983F353
                                                                                                                                                                                                                          SHA-256:80E40E47F7D6EB2C9CB357B1B3951D0B0429087F44BEC066993C26975CDA4A76
                                                                                                                                                                                                                          SHA-512:8B9E589D378775331C08CEB908C4FC3BCA2AFBEA776E86163E5C641BF1D5F5E84BBA76B6E5C0102EC388005F8D09EAAA80DFB60185C83BF462543A6903236204
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>............." ..0..X...........v... ........... ...............................k....`..................................v..O....................`...*...........v..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................v......H........3...B...........................................................0.................(n...........................s)...}................s%...}................s....}................s....}................s....}................s....} ...............s!...}!...............s....}"...............s....}#...............s=...}$...............s9...}%...............s5...}&...............sA...}'...............sE...}(...............s-...})...............s1...}*........(....(....(....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\VPN.Common.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60584
                                                                                                                                                                                                                          Entropy (8bit):6.426868083769682
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:W0YiwXHy9lkD6vudI9C3dt8dNbm+ESg34o556bYIDwpFGpphsA/FIDbaFLdtlxnn:WxJ8kM9CHJ6bY3zkXX8u4iNd7EgIK/X
                                                                                                                                                                                                                          MD5:D4BECC422A254D1A75CFC60750572848
                                                                                                                                                                                                                          SHA1:2AE1D45045828B8D9A57DD90213F462D72F9A98B
                                                                                                                                                                                                                          SHA-256:A8BC4A168A5F9CD7ABBBBFF3F0794F433233A72D557E168AF42BD34FFF3A2F34
                                                                                                                                                                                                                          SHA-512:91A1E21F87868A00CF715018577A028413CB638A7965756324AFCF16A6108906DCB355959882C2C555C7276EF1A70627E455B4057695DE8C462E4D0679FEFAC5
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............r.... ........... ....................... ............`................................. ...O........................*..............8............................................ ............... ..H............text...x.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................T.......H.......T0..4.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*>.(....o4......*>.(....o4......*>.(....o2......*>.(....o2......*>.(....o2......*v.(....-..(....,..(....+..+..*..{....*"..}....*6..s....}....*..0............(......,...(k.....*....0..4.......s......(....}......}......}......}.....|......(...+*.0..Y.........(....o....r...p(....(c....(f....(g.....(......,&.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\VPN.OpenVpn.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):31912
                                                                                                                                                                                                                          Entropy (8bit):6.377780370750934
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:H4sSUSsK/Py54Iu67VMam4AX10KIUt0kYcT/EDYZGSPeyc8cHIlkLi7gIYiNZs0t:HzNK/G4IfVswkYLy5L7pYiNbK/Y/+hM
                                                                                                                                                                                                                          MD5:14515F3569114E0060716ABD3AB3265A
                                                                                                                                                                                                                          SHA1:9E2DBC71979FFB5E3270C9353EA53448D9E07544
                                                                                                                                                                                                                          SHA-256:94DEC461C651A437049E2E5CBA046684E7177C350B836B363880EEEBDD1EBDEA
                                                                                                                                                                                                                          SHA-512:7067B02E1493A61BBABA8DDF922A8B5FDC31466F0E28ADAC116865661E739D6939863C44212FB0A22C49D2F3F03D2C28221E54C15FBC6387C43BD47637A349E4
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.C..........." ..0..J..........~h... ........... ..............................yA....`.................................*h..O....................R...*...........g..8............................................ ............... ..H............text....H... ...J.................. ..`.rsrc................L..............@..@.reloc...............P..............@..B................^h......H........1...5............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*&..(.....*...0...........s.......o.....+X..(.........(....o....o....&..(.........,!..r...po....&...(....o....o....&..r...po....&...(....-...........o ......o....o!.....+...*...........et.......0...........s"...%r...p.o#....%r...pr#..po#....%r+..prA..po#....%r]..p.($...o%...o#....%ro..p.($...o&............o....o'...o#....%r...p.($...o(....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\VPN.RAS.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):41128
                                                                                                                                                                                                                          Entropy (8bit):6.401085070695131
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:lQq+jQ+JutCjyVmF8Wq8sBP3/7lpKaDBuz3bzrzlJBOKipq8pdwYv4qzsYiCtRKS:4VutFQF873t3/77KaDBuz3bzrBJBOKiT
                                                                                                                                                                                                                          MD5:AD53B27150F1E38EF23BD155A07E2313
                                                                                                                                                                                                                          SHA1:3A9A4383B9286A0E1A3F4102BC56437A5A961E41
                                                                                                                                                                                                                          SHA-256:62DBC8A6D43D623E5F267B59A3C78807CB08EFBE37A06A67425C9458D8B985DA
                                                                                                                                                                                                                          SHA-512:F8D471175E39425F1E1613C60EDD9D1A98DBACC98E3F18746AA642524AFB7D9F9A299B2BE33629200AB94538BF95C78B6343DE193EE3AD48B1CFC1DD4E37E9D4
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z:..........." ..0..n..........&.... ........... ....................................`....................................O.......h............v...*..........@...8............................................ ............... ..H............text...,m... ...n.................. ..`.rsrc...h............p..............@..@.reloc...............t..............@..B........................H........6..PU............................................................{....*"..}....*..{....*"..}....*..~....}......s....}.....(........(.............s*...}....*....0..................,5...(A.....(.........,..~.....(.....s....o.......8..............0....B+......8..... . ...G+.. . ..;....8....~.....(.....s....o.....8....~.....(.....s....o.....+s.o.....~.....(....s....o......(....o ...r...p(!.......,...(.......{.....{....o"....(6...&+...(......s#...(.....+.+..*..0..F.......

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\VPN.WireGuard.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):20136
                                                                                                                                                                                                                          Entropy (8bit):6.721932799011409
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:WaXxdsvBO/dITrZ+VK6G6IYi+PVC0FP27NBY3Yuv+cN:WJZl6GHYiGZK/Y/+cN
                                                                                                                                                                                                                          MD5:8E6A799F0DA3FBA278F06D4C7A18E7B5
                                                                                                                                                                                                                          SHA1:B9AD516A47362FFAF360C1E8794D2F10C8E7080F
                                                                                                                                                                                                                          SHA-256:1029DDF44F3CD774754DDFEAFB97BE18CD31B50DE24F19870F9BDE8163B5DEA5
                                                                                                                                                                                                                          SHA-512:4607E418C0BE1F632CBE5CE0A8F1877F45EB873C193B4FF7C52495E891BD05D7F3AA3847D97F36D7B5601FCCAFCF6DE4A822140D9610C9E9BCA900BC06C67DE8
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W/%..........." ..0.............^;... ...@....... ....................................`..................................;..O....@...............$...*...`......l:..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................>;......H........$..............................................................F.(....r...p(....*..{....*"..}....*..0...........s......r...po....&.r-..p.(....o....(....o....&.rI..p.(....o....r_..p(....o....&.rg..p.(....o....(....o....&.(......,...ru..po....&..r...po....&.r...po....&.r...p.(....o....(....o....&.r...po....&.r...p.(....o....r...p(....o....&.(....o.....o....( ....*..r...p.(....o!...r...p(....r...p.(....o....r...p(....("...&*..r?..prK..p.(.........(#...("...&*..r?..pr...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\VPN.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):18088
                                                                                                                                                                                                                          Entropy (8bit):6.788270069437216
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:CiqjQN+Pw2X6VUYNVYuKAiIYiUOI0FP27NBY3Yuv+Pg:1qjQ8f5uKAvYidpK/Y/+4
                                                                                                                                                                                                                          MD5:A891AAC2D9FD1B939E07BE155AFC84FF
                                                                                                                                                                                                                          SHA1:7F977350D9CFD10C259356D98C0606779519C6EF
                                                                                                                                                                                                                          SHA-256:38D6709A0A003761850933F79132CCDC40B6F26460169BAB092931BBA1500683
                                                                                                                                                                                                                          SHA-512:E4227CA484824ED3C912A58B741B4A447ACC50DFFB9945165303D5362BA39217FFAEFC62DF60D292A8B081DAD82CD85593FF64DB93DBC26465355D89AA527724
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X4y..........." ..0.............n3... ...@....... ...................................`..................................3..O....@..H................*...`.......2..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc...H....@......................@..@.reloc.......`......................@..B................N3......H........#................................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(........%-.&r...ps....z(.......(.....*.0..................,..rM..ps....z.(.........,...(....o.......(.......(.....s....o.........(....(......(....o......(....o........&..(.....r...ps....o........*..........tu.......0..B..........(....%-.&+.o.......*&..(.....(....%-.&.+.(......s....o........*.............*.....0..B..........(....%-.&+.o ......*&..(.....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\fix-dns-leak-32.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):25768
                                                                                                                                                                                                                          Entropy (8bit):6.829205499580206
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:+NjMaZomdl7FUC9mhsCVoNycrjIg9J197j26dIYi5YFK0FP27NBY3Yuv+QgP:+HhShzuD/Bpa6KYiyFjK/Y/+PP
                                                                                                                                                                                                                          MD5:76DC589253A2FDAAA3CDD02E9F5421DD
                                                                                                                                                                                                                          SHA1:A072B9CDDBDC150394643EBFD565A2443AFD9501
                                                                                                                                                                                                                          SHA-256:9AC1C9B0343F4D9638FEB4FA25824AFBD2D829EEBF13E54A5FD2197CED2118B5
                                                                                                                                                                                                                          SHA-512:50A85E3C61A2506912BC0F4547079DAB2C6B60A882127A4C3087C9AB4065C6568B1E8D4AF246D68BFEE7E7347664883A2FC8E00E2E58EA1DE867FE33D8220861
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.a.pi.Hpi.Hpi.H68.Hri.H68.H|i.H68.Hri.H68.Hti.H...Hqi.H...Hyi.Hpi.HFi.H};.Hsi.H};.Hqi.H};.Hqi.H};.Hqi.HRichpi.H........PE..L....q.Z...........!.................$.......0...............................p.......D....@..........................7......D:.......P...............:...*...`..x...................................p4..@............0...............................text............................... ..`.rdata.......0......."..............@..@.data...\....@.......2..............@....rsrc........P.......4..............@..@.reloc..x....`.......6..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\iphelperclose.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):116872
                                                                                                                                                                                                                          Entropy (8bit):6.726218253535254
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:8tw0r3S8FpUCSBCLiXdb0NphY3kWlon6ZhPn8agN6K/p:8mWi8FpCBCLybQakA/Pn8agNj/p
                                                                                                                                                                                                                          MD5:B9F4D43230B7FB66B95AF05DC03B32DE
                                                                                                                                                                                                                          SHA1:56F868C56FFF836CA61055499988F965DCA37D26
                                                                                                                                                                                                                          SHA-256:A103634B16841E3A68DD4A6BCBDFC3A1651B8C9F1114D99BF01CA31297664E21
                                                                                                                                                                                                                          SHA-512:50EB5DE7D0A1B5D7E1AC38209488635EF77733C2C78DC39D0D473904128DBFC67D4E3EC388D2C2D79645AFDF03FD1965386F6E6D21553C9A6DAB07A58549FD1E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V.n.7.=.7.=.7.=.S.<.7.=.S.<o7.=.S.<.7.=._.<.7.=._.<.7.=._.<.7.=.S.<.7.=.7.=.7.=._.<.7.=._.<.7.=._3=.7.=._.<.7.=Rich.7.=........................PE..L...q._]...........!................O........0............................................@.............................T.......<.......................................p...............................@............0...............................text............................... ..`.rdata..4g...0...h..................@..@.data...4...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-0C2FG.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):20136
                                                                                                                                                                                                                          Entropy (8bit):6.721932799011409
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:WaXxdsvBO/dITrZ+VK6G6IYi+PVC0FP27NBY3Yuv+cN:WJZl6GHYiGZK/Y/+cN
                                                                                                                                                                                                                          MD5:8E6A799F0DA3FBA278F06D4C7A18E7B5
                                                                                                                                                                                                                          SHA1:B9AD516A47362FFAF360C1E8794D2F10C8E7080F
                                                                                                                                                                                                                          SHA-256:1029DDF44F3CD774754DDFEAFB97BE18CD31B50DE24F19870F9BDE8163B5DEA5
                                                                                                                                                                                                                          SHA-512:4607E418C0BE1F632CBE5CE0A8F1877F45EB873C193B4FF7C52495E891BD05D7F3AA3847D97F36D7B5601FCCAFCF6DE4A822140D9610C9E9BCA900BC06C67DE8
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W/%..........." ..0.............^;... ...@....... ....................................`..................................;..O....@...............$...*...`......l:..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................>;......H........$..............................................................F.(....r...p(....*..{....*"..}....*..0...........s......r...po....&.r-..p.(....o....(....o....&.rI..p.(....o....r_..p(....o....&.rg..p.(....o....(....o....&.(......,...ru..po....&..r...po....&.r...po....&.r...p.(....o....(....o....&.r...po....&.r...p.(....o....r...p(....o....&.(....o.....o....( ....*..r...p.(....o!...r...p(....r...p.(....o....r...p(....("...&*..r?..prK..p.(.........(#...("...&*..r?..pr...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-4N4RA.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):116872
                                                                                                                                                                                                                          Entropy (8bit):6.726218253535254
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:8tw0r3S8FpUCSBCLiXdb0NphY3kWlon6ZhPn8agN6K/p:8mWi8FpCBCLybQakA/Pn8agNj/p
                                                                                                                                                                                                                          MD5:B9F4D43230B7FB66B95AF05DC03B32DE
                                                                                                                                                                                                                          SHA1:56F868C56FFF836CA61055499988F965DCA37D26
                                                                                                                                                                                                                          SHA-256:A103634B16841E3A68DD4A6BCBDFC3A1651B8C9F1114D99BF01CA31297664E21
                                                                                                                                                                                                                          SHA-512:50EB5DE7D0A1B5D7E1AC38209488635EF77733C2C78DC39D0D473904128DBFC67D4E3EC388D2C2D79645AFDF03FD1965386F6E6D21553C9A6DAB07A58549FD1E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V.n.7.=.7.=.7.=.S.<.7.=.S.<o7.=.S.<.7.=._.<.7.=._.<.7.=._.<.7.=.S.<.7.=.7.=.7.=._.<.7.=._.<.7.=._3=.7.=._.<.7.=Rich.7.=........................PE..L...q._]...........!................O........0............................................@.............................T.......<.......................................p...............................@............0...............................text............................... ..`.rdata..4g...0...h..................@..@.data...4...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-6NKFQ.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):159368
                                                                                                                                                                                                                          Entropy (8bit):6.32384599449582
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:OcqXDYZbIkCKezJaoCNVljUmcmAs6Jm4AFt2iPaTatnhrOKK/E:9qbKwcB4njeXBSTcpOT/E
                                                                                                                                                                                                                          MD5:7AE17C855F3CC63174E90EA527B6138B
                                                                                                                                                                                                                          SHA1:0FE1E1B2252511F33EDA3FFCF1F8FC8586AB040A
                                                                                                                                                                                                                          SHA-256:26FF04208EC4D26EF4DDD9B3CF01C4D2A1544550BCD59EFDE6F30170053A1170
                                                                                                                                                                                                                          SHA-512:453BA41332A704F491FC9E1EE5FBE9F883EDDB4C26A71D207C93992726E9C5B7FEDC48EEEE2A2087F64B083F9473EE794FB2C8F3B77C9DBCBBC47B67816BD156
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y..............Y.......................................................................Rich....................PE..L.....[...........!.........................................................`..................................................P.... ..`............@.......0..(...0...............................0...@............................................text....w.......................... ..`.rdata...A.......P..................@..@.data....6....... ..................@....rsrc...`.... ......................@..@.reloc..2(...0...0..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-7NCSV.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):35496
                                                                                                                                                                                                                          Entropy (8bit):6.3718937380199785
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:PS78zRHlzbzaxUxU7y7y7y7S7CxUxU7y3K7yTyTTN77xNTOLSxY777DKoRREEK7/:PS7DOOqf1RuhC5v7YK/CW1
                                                                                                                                                                                                                          MD5:D438F337397A4CB3CA4E87F70BC4B4C0
                                                                                                                                                                                                                          SHA1:FB6FB592744E34BA9B8B9E2B05F6D9C0C983F353
                                                                                                                                                                                                                          SHA-256:80E40E47F7D6EB2C9CB357B1B3951D0B0429087F44BEC066993C26975CDA4A76
                                                                                                                                                                                                                          SHA-512:8B9E589D378775331C08CEB908C4FC3BCA2AFBEA776E86163E5C641BF1D5F5E84BBA76B6E5C0102EC388005F8D09EAAA80DFB60185C83BF462543A6903236204
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>............." ..0..X...........v... ........... ...............................k....`..................................v..O....................`...*...........v..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................v......H........3...B...........................................................0.................(n...........................s)...}................s%...}................s....}................s....}................s....}................s....} ...............s!...}!...............s....}"...............s....}#...............s=...}$...............s9...}%...............s5...}&...............sA...}'...............sE...}(...............s-...})...............s1...}*........(....(....(....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-8LP97.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):101776
                                                                                                                                                                                                                          Entropy (8bit):6.519631245398067
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:+iE88BMo5Gv8yIu8mRfXU5i8Ubd0L1nDmNxk3NUXwPrSMk7+W+shzS0ICpL:+iE88BMo5Gv8yIu8mRfXU5fUbd01mNxV
                                                                                                                                                                                                                          MD5:58D1267BAFC9E0D9531D7C97A08A3A68
                                                                                                                                                                                                                          SHA1:1EC6E26D9E71D1CB5C885879CC8F6D3762DC5FD6
                                                                                                                                                                                                                          SHA-256:34FB96B4CCA40AC4312E36E3310EACC2C13F2562BAAB7FFE836060965B7AD579
                                                                                                                                                                                                                          SHA-512:E6A6EDE57B59CB675D869D1B5BD43C67C864363CE7168538ABB048F911783181546F7CBFEB29EE49EEC21291EEBD442E3BA9819967F8ABE3AD00AC33C94A3620
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c=..........." ..0..\...........z... ........... ...................................`.................................Kz..O....................f...'..........<C..p............................................ ............... ..H............text....Z... ...\.................. ..`.rsrc................^..............@..@.reloc...............d..............@..B.................z......H..........,............A.......B.......................................0..............o+...-..........*......*.0............(...+..-..........*..(...+*....0...........(,....s-...}......}/.....}2........(....r...p.$o/......5...(....r+..p.$o/...}1.....(0...,..o1........(....(2...,....{/...o3...t....}0....{1....(4...-..{0...-..{2...rI..p(....*.0..D........{1....(4...-..{0...-.(5...*.{1....o6...o3....l......(........o6...*.0...........{.......o7...,..*..(....*...0..........s8..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-8PJAJ.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):24976
                                                                                                                                                                                                                          Entropy (8bit):6.836703429014385
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:STg0otikxUoOHLLEzFzd7h8NTif2+3mJJWg/0W2yHRN7OBu1x85zR9zphght:SwtLUoOrud7hqE2+3mdYuz109zpc
                                                                                                                                                                                                                          MD5:5E8C253B1394C1E6E396A939C9FC9068
                                                                                                                                                                                                                          SHA1:6AE721F34E256FD90A99617BA19040D45FF6A41F
                                                                                                                                                                                                                          SHA-256:4B1A93C57580BD0F304B214EAA3C451272821ACAFC6A0EAE34976606030E0D69
                                                                                                                                                                                                                          SHA-512:22CCA8638EF56059A9DE79289D3EB8289F0774579059C6785B08D08229E366BC8E9FA591EAAFBB4F2952FF7627D1CA0AB180C2B82555BA9C4BC8806F837F478D
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l?J..........." ..0..0..........^N... ...`....... ..............................L.....`..................................N..O....`..(............:...'...........@..p............................................ ............... ..H............text...d.... ...0.................. ..`.rsrc...(....`.......2..............@..@.reloc...............8..............@..B................@N......H........&..,....................@.......................................0..T........(.....-.r...ps....z.-.r...ps....z..}......o....%-.&s....}......o....%-.&s....}....*.0..?.........(....}.......}.......}.......}......|......(...+..|....(....*..0..%............(....,...(.....{.....o....o....*....0..I........o....(....-%.....(....,..o ... ....o!.....(....+..o ... ....o!....(...+*v..{......o#...Q.P,..Po$...*.*..0..M........o%.....,B.o&....+%.o'.....o ...o(.....().....(*...o+...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-93OID.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):166800
                                                                                                                                                                                                                          Entropy (8bit):5.092225196099469
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:JtayaXxHE9B92Pqg6/rKvXkZ5QwupmY6jCPL:yqNDKvUZZkVlL
                                                                                                                                                                                                                          MD5:2839920AD2E9C4B08F97715D88586056
                                                                                                                                                                                                                          SHA1:88F7544BF59DDD40E3C934C938A20164F3B518F1
                                                                                                                                                                                                                          SHA-256:A655B1BC143B918C6F31B52AEA2726C131F474B70BF7E2DDF36FE48B1E6E279D
                                                                                                                                                                                                                          SHA-512:E26A141021648398F109B41275154FDFCF139845466C9A37E80A1AD43725D914FD574F59706AD68404555BCB36490CB307E7E0C9158A8B8E94F97CB93E4C0F37
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..Z...........x... ........... ...............................b....`..................................x..O.......8............d...'...........^..p............................................ ............... ..H............text....X... ...Z.................. ..`.rsrc...8............\..............@..@.reloc...............b..............@..B.................x......H........R..............|S......D^......................................j.-.r...ps$...z.s....(....*..0..Y........-.r...ps$...z.o%...s&......r...p(...+.r+..p..((.....(...+........%...%...%...>....(...+*..-.r...ps$...z......(+.........%...o,...*N.sD...%.oC...(....*b.sD...%.s-...oC...(....*2.sD...(....*....0..C........(.....-.rC..ps$...z.-.rM..ps$...z..,...o......}......}......}....*..0..?.........(/...}4......}5......}6......}3.....|4.....(...+..|4...(1...*j.{....,..{....r]..p.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-9A2GQ.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):25768
                                                                                                                                                                                                                          Entropy (8bit):6.588649497011045
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:RYTtf+jLXlZfCd8RzDiFrlwkmGWUlupd0IYisq+i0FP27NBY3Yuv+42r:RYpKjlZfC6Fqg7FYiQ7K/Y/+42r
                                                                                                                                                                                                                          MD5:22D4E4267DFE093E5E23C2F3D7741AA4
                                                                                                                                                                                                                          SHA1:AB18989C4442EB204528E64B18000E8E02FA2C50
                                                                                                                                                                                                                          SHA-256:4E296E9B159F5D64E6E71821C9C06260AC02EBB424823ADA64E97DFD418C3CA1
                                                                                                                                                                                                                          SHA-512:7F6D1228F93E454477E3C4250D1D0C78995DE8D9AE07FA585DC8BDCBB4A1046338B66BEFE0BD9BF63F61085657F7080A1C6350403292E484F047F9ED791EF43B
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..._S............"...0..............M... ...`....@.. ...............................0....`..................................M..O....`..,............:...*...........L..8............................................ ............... ..H............text....-... ...................... ..`.rsrc...,....`.......0..............@..@.reloc...............8..............@..B.................M......H........(..H#...........L................................................{....*"..}....*6.(.....(....*..0..g.........(....... ....0.. .....0. .....". .....&*. .....#. .....!. ......*(,...*(-...*(....*(/...*(0...*(1...*..0..J.......(....(....-.(....(....&~....r...p(.....(.......1.~......(....(......(....*Z(-....(....%-.&*o....*....0.."........r...p..(....(....(....(......&..*...................0..#....... F#.....+..(....-..*..X...X....2..*..0..1.......(....o......,...-..*..+.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-9CU0N.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):18088
                                                                                                                                                                                                                          Entropy (8bit):6.788270069437216
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:CiqjQN+Pw2X6VUYNVYuKAiIYiUOI0FP27NBY3Yuv+Pg:1qjQ8f5uKAvYidpK/Y/+4
                                                                                                                                                                                                                          MD5:A891AAC2D9FD1B939E07BE155AFC84FF
                                                                                                                                                                                                                          SHA1:7F977350D9CFD10C259356D98C0606779519C6EF
                                                                                                                                                                                                                          SHA-256:38D6709A0A003761850933F79132CCDC40B6F26460169BAB092931BBA1500683
                                                                                                                                                                                                                          SHA-512:E4227CA484824ED3C912A58B741B4A447ACC50DFFB9945165303D5362BA39217FFAEFC62DF60D292A8B081DAD82CD85593FF64DB93DBC26465355D89AA527724
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X4y..........." ..0.............n3... ...@....... ...................................`..................................3..O....@..H................*...`.......2..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc...H....@......................@..@.reloc.......`......................@..B................N3......H........#................................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(........%-.&r...ps....z(.......(.....*.0..................,..rM..ps....z.(.........,...(....o.......(.......(.....s....o.........(....(......(....o......(....o........&..(.....r...ps....o........*..........tu.......0..B..........(....%-.&+.o.......*&..(.....(....%-.&.+.(......s....o........*.............*.....0..B..........(....%-.&+.o ......*&..(.....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-BOM98.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):15528
                                                                                                                                                                                                                          Entropy (8bit):6.93175318343703
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:KKE4Nl+ACIYiYF80CX+0tvTS8hFP2bnNr/ZyGMLBVYvmvVKNFUK:ZE4OhIYifS0FP27NBY3Yuv+n
                                                                                                                                                                                                                          MD5:ADF6FCD8199E4DA7F52FBEBD9D9496D7
                                                                                                                                                                                                                          SHA1:17E7E444AB035AE759D3B0E48928B7D23CEC3682
                                                                                                                                                                                                                          SHA-256:C1AF49ACF4E6E9B77C025405CB31E6493F4A9A0080AE48381CE3B36EC5E1D76E
                                                                                                                                                                                                                          SHA-512:72F42DC40B2B1B9C25F0B4BC6E18BCE4B9F144A39442B05E5DF6FB792EA1F5E0645E5CF6251918AF0D81316437982ADBE6892992E4F4323CF48C84A6B08FD809
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....f.P...........!................N)... ...@....... ....................................@..................................(..W....@...................*...`.......'............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0)......H........ ......................P ......................................-.N...._J...a.w~.{...I..}.B.;=.XT.Jh.;.(f.eU/@r.. .......g...^......{i....h]..A,};......g..4..bb.....(..S).]..Ol.[..r....C.BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob...........G.........%3................................................................H.-...p.i.....i.....................8.....W.......p.....p.................i.......;.$...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-C2DGA.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):31912
                                                                                                                                                                                                                          Entropy (8bit):6.377780370750934
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:H4sSUSsK/Py54Iu67VMam4AX10KIUt0kYcT/EDYZGSPeyc8cHIlkLi7gIYiNZs0t:HzNK/G4IfVswkYLy5L7pYiNbK/Y/+hM
                                                                                                                                                                                                                          MD5:14515F3569114E0060716ABD3AB3265A
                                                                                                                                                                                                                          SHA1:9E2DBC71979FFB5E3270C9353EA53448D9E07544
                                                                                                                                                                                                                          SHA-256:94DEC461C651A437049E2E5CBA046684E7177C350B836B363880EEEBDD1EBDEA
                                                                                                                                                                                                                          SHA-512:7067B02E1493A61BBABA8DDF922A8B5FDC31466F0E28ADAC116865661E739D6939863C44212FB0A22C49D2F3F03D2C28221E54C15FBC6387C43BD47637A349E4
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.C..........." ..0..J..........~h... ........... ..............................yA....`.................................*h..O....................R...*...........g..8............................................ ............... ..H............text....H... ...J.................. ..`.rsrc................L..............@..@.reloc...............P..............@..B................^h......H........1...5............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*&..(.....*...0...........s.......o.....+X..(.........(....o....o....&..(.........,!..r...po....&...(....o....o....&..r...po....&...(....-...........o ......o....o!.....+...*...........et.......0...........s"...%r...p.o#....%r...pr#..po#....%r+..prA..po#....%r]..p.($...o%...o#....%ro..p.($...o&............o....o'...o#....%r...p.($...o(....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-DEAN7.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):65960
                                                                                                                                                                                                                          Entropy (8bit):6.704364809732977
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:qC7HwuzTT2IiiiiHnt7qMkPFb5NMBFv8n+nwfqw9ScubQyvz8:LTT2IiN09yPFbwBFyysqhvQyvo
                                                                                                                                                                                                                          MD5:3B6AD220174768E52510D449C7A5C817
                                                                                                                                                                                                                          SHA1:E76CB664268F45939A0A604E31CAB3DBE957510A
                                                                                                                                                                                                                          SHA-256:294A04A1305277ABDF2539649F8A7909DAC57ECF61F223600227BC1CDED6E2DC
                                                                                                                                                                                                                          SHA-512:43852FA0F4FD12967DAAF81613FF3C52EAD432F39E579E1C5C834595881A9E6AC156BCE326CEE3EB78D11D81AD33792870D31F81D7737483CF36636DB30DFCF1
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... .......................@......=.....`.................................e...O....... ................'... ......`...p............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........H...u..............X............................................0..>........-.r...ps....z.o....r...p..o....,..uW.....(....-..*("...s....z..-.r...ps....z.-.r...ps....z.o....r...p.o ...*..(!....s"...(......(......(....*..{....*R..}.....(.....o#...*..{....*"..}....*..{....*"..}....*z.(!.....(......%-.&s$...(....*..{....*"..}....*..{....*"..}....*..(!....-.r...ps....z..(%...s&...}.....{....o'...-.r...ps(...z*....0..g.........,..*.-.r...ps....z.o)...o*..../..*.o)...o+....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-DJ6NL.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):122256
                                                                                                                                                                                                                          Entropy (8bit):6.572766216409801
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:nU40ONP+ki9jNhepTRIvy2V7iOHckTTv0c7tSuagvcCy:ShenI6w7wk0Sq3
                                                                                                                                                                                                                          MD5:C24CF68C9012B4E261D2FD6B2240BBE8
                                                                                                                                                                                                                          SHA1:45844AE139DB45652AAC12E1D6EE138ED709E261
                                                                                                                                                                                                                          SHA-256:42ED395C54526DAD6AA275CA2A65F6DE6E94BC8CEC8548CFB9891BA430FF1974
                                                                                                                                                                                                                          SHA-512:DDF7872EB70E9546D28A209A562C873BA9E9402AD600C3D44ACD425FC7337C19B581A8C06F8BAD5987B36EF82895AAD0DA48CBC7E0E64886CD0EB7C9884FFA4D
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*0..........." ..0.................. ........... ....................... .......$....`.................................k...O........................'..........0}..p............................................ ............... ..H............text...D.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........................u.......|........................................-.r...ps(...z......()....o*...*..-.r...ps(...z.-.r...ps(...z.......%...(...+&*..-.r...ps(...z.-.r...ps(...z.......%...(...+*...0..^........-.r...ps(...z.-.r...ps(...z.-.r-..ps(...z.(+...-..rI..p.o,...,.(S...r...ps-...z..s.....(....*...0...........-.r...ps(...z.-.r-..ps(...z..(....,$..(....rI..p.o,...,.(S...r...ps-...zs....%.o............%...(...+..o.......o/..........()...o0...t....o.....*...0..s.......

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-JCMQP.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):711952
                                                                                                                                                                                                                          Entropy (8bit):5.967185619483575
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
                                                                                                                                                                                                                          MD5:195FFB7167DB3219B217C4FD439EEDD6
                                                                                                                                                                                                                          SHA1:1E76E6099570EDE620B76ED47CF8D03A936D49F8
                                                                                                                                                                                                                          SHA-256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
                                                                                                                                                                                                                          SHA-512:56EB7F070929B239642DAB729537DDE2C2287BDB852AD9E80B5358C74B14BC2B2DDED910D0E3B6304EA27EB587E5F19DB0A92E1CBAE6A70FB20B4EF05057E4AC
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O......................../.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-JH357.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1327
                                                                                                                                                                                                                          Entropy (8bit):5.042117116126737
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:JdArztW1oF7Nv+pvH2/+jSLVhOXrRH2/dVv+BvH2/+jSLVtvH2/39y:3Arzcq7h+Fg+mL27Rgdp+dg+mLPg3w
                                                                                                                                                                                                                          MD5:E40244BE7715300DC4BA229C25237728
                                                                                                                                                                                                                          SHA1:F9D299542C616D860D495CE59A6FD2B90907B2E5
                                                                                                                                                                                                                          SHA-256:AE5027694FF0D363F757F112162AC8D49550826872C9A5B2BA67A75F56109C4D
                                                                                                                                                                                                                          SHA-512:CBEA4111D0A2D8BB5FF5AD631728C85A38668C6D470AB8A4D59D5334B9309EF34125E9A9F70EA942113212D5B1FD5EABF9DF860F9112B52D55C95EE32BB8721A
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />.. </startup>.. <runtime>.. <legacyCorruptedStateExceptionsPolicy enabled="true" />.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.Owin.Security" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.2.2.0" newVersion="4.2.2.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.2.2.0" newVersion="4.2.2.0

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-KPJ2D.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):28648
                                                                                                                                                                                                                          Entropy (8bit):6.283743404391549
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:vPYMDLxA6GikwBUGkXkFmDKAsIh5V7L5XWmzWNsWtyHRN7XZj05seyR9zHA:vgMmZ1dUdGZSDuXZj05sN9zg
                                                                                                                                                                                                                          MD5:9FFF1DA4E481028262E27AEFD7C0EFF4
                                                                                                                                                                                                                          SHA1:B0128E42E3CE3C295C48461A651AF99D95B5A04D
                                                                                                                                                                                                                          SHA-256:3FDB918CC5F1E5F1FA9C155DC68AAFE10A16C73ED934C06B201ED94070EA985D
                                                                                                                                                                                                                          SHA-512:6B02B873C4092BFE3C2D8428093696E94C6021DB9D6FA8740E79DF7C6C5208229ED7AE8A62E96597EEEF348956BC6AB79375292B6456162F78D332E3830B75EC
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P^.b.........." ..0..>...........\... ...`....... ..............................c.....`.................................x\..O....`...............H...'..........@[............................................... ............... ..H............text....<... ...>.................. ..`.rsrc........`.......@..............@..@.reloc...............F..............@..B.................\......H.......(-...+..........8X.......Z........................................(.....s....(.....s....(.....s....(.....s....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*..0..1..........j...(.........(...._,.r...p(I...s....z..}....*..{....*"..}....*...0..p.......s....%r...po....&%.(....o....&%r/..po....&%.(....o....&%rU..po....&%.(....o....&%r{..po....&%.(.......(....-.r...p+..(.......(.......( .

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-KR8E2.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60584
                                                                                                                                                                                                                          Entropy (8bit):6.426868083769682
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:W0YiwXHy9lkD6vudI9C3dt8dNbm+ESg34o556bYIDwpFGpphsA/FIDbaFLdtlxnn:WxJ8kM9CHJ6bY3zkXX8u4iNd7EgIK/X
                                                                                                                                                                                                                          MD5:D4BECC422A254D1A75CFC60750572848
                                                                                                                                                                                                                          SHA1:2AE1D45045828B8D9A57DD90213F462D72F9A98B
                                                                                                                                                                                                                          SHA-256:A8BC4A168A5F9CD7ABBBBFF3F0794F433233A72D557E168AF42BD34FFF3A2F34
                                                                                                                                                                                                                          SHA-512:91A1E21F87868A00CF715018577A028413CB638A7965756324AFCF16A6108906DCB355959882C2C555C7276EF1A70627E455B4057695DE8C462E4D0679FEFAC5
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............r.... ........... ....................... ............`................................. ...O........................*..............8............................................ ............... ..H............text...x.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................T.......H.......T0..4.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*>.(....o4......*>.(....o4......*>.(....o2......*>.(....o2......*>.(....o2......*v.(....-..(....,..(....+..+..*..{....*"..}....*6..s....}....*..0............(......,...(k.....*....0..4.......s......(....}......}......}......}.....|......(...+*.0..Y.........(....o....r...p(....(c....(f....(g.....(......,&.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-N8COH.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):25768
                                                                                                                                                                                                                          Entropy (8bit):6.829205499580206
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:+NjMaZomdl7FUC9mhsCVoNycrjIg9J197j26dIYi5YFK0FP27NBY3Yuv+QgP:+HhShzuD/Bpa6KYiyFjK/Y/+PP
                                                                                                                                                                                                                          MD5:76DC589253A2FDAAA3CDD02E9F5421DD
                                                                                                                                                                                                                          SHA1:A072B9CDDBDC150394643EBFD565A2443AFD9501
                                                                                                                                                                                                                          SHA-256:9AC1C9B0343F4D9638FEB4FA25824AFBD2D829EEBF13E54A5FD2197CED2118B5
                                                                                                                                                                                                                          SHA-512:50A85E3C61A2506912BC0F4547079DAB2C6B60A882127A4C3087C9AB4065C6568B1E8D4AF246D68BFEE7E7347664883A2FC8E00E2E58EA1DE867FE33D8220861
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.a.pi.Hpi.Hpi.H68.Hri.H68.H|i.H68.Hri.H68.Hti.H...Hqi.H...Hyi.Hpi.HFi.H};.Hsi.H};.Hqi.H};.Hqi.H};.Hqi.HRichpi.H........PE..L....q.Z...........!.................$.......0...............................p.......D....@..........................7......D:.......P...............:...*...`..x...................................p4..@............0...............................text............................... ..`.rdata.......0......."..............@..@.data...\....@.......2..............@....rsrc........P.......4..............@..@.reloc..x....`.......6..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-SAAPO.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):301224
                                                                                                                                                                                                                          Entropy (8bit):5.822993671222324
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:I856+Aq4WBT5TjbyfQ5d2ap3BES3l+3p7z8p5+cyIqrKMjE3g2AJX5ex4uyj0bOP:v56+Aq4WBTWpSqXhpeEioU2U7/c
                                                                                                                                                                                                                          MD5:8E545EE7F96C317AADC4EDA0F0FCF481
                                                                                                                                                                                                                          SHA1:242F4D714B142C10368AA82AF91B0A06E0A4E33F
                                                                                                                                                                                                                          SHA-256:A67BBFB9EFE5C1CD55D3B8209093BA93370F1EAE4F03A0349696D7B45867EAFC
                                                                                                                                                                                                                          SHA-512:77EBC317804B3D0830E76156D93A38980CA113CA80B0A3A2051FDF00D2ABAC96A39AA9BF099AE9CC5AF1E27D14976B5C582096DD6B3AB7F521423FCE6EC11FDE
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.Y.1.Y.1.Y.1..l.[.1...>.].1.[.5.[.1.9.|.X.1...l.D.1.Y.0.p.1...n.V.1...Q.M.1...o.X.1...k.X.1.RichY.1.........PE..L...[..@.................J...................`...............................P......2............ ...........................=..T....@...............n...*..............................................@............................................text....I.......J.................. ..`.data...L....`.......N..............@....rsrc........@.......^..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-SEDKF.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):347016
                                                                                                                                                                                                                          Entropy (8bit):6.2576059322299855
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:+h0+XUaITFNwVI1ZdMfWsaYi3am2Wt6hn7UQjva9v:+u+XUTTvvndMfv64oQu
                                                                                                                                                                                                                          MD5:F4B5415B6C9EC38B073779A034421747
                                                                                                                                                                                                                          SHA1:DADEC8724A898C84A9F52A86A5D0ACFA71758341
                                                                                                                                                                                                                          SHA-256:2672829713F57630F2FC4DA57926456DDA7832F0E0F474F06462D2340B4DC4E3
                                                                                                                                                                                                                          SHA-512:82C58B9061CB8B4603B88AB69CD43461A886029AA7CE1A1ADB614F07EEE90FA979F7CC524272D6A494BADC79254906182DE5A90BF992E48160CA5C3DBE57C334
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U=............" ..0..............<... ...@....... ....................................`.................................z<..O....@...............(...#...`.......;..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@....... ..............@..@.reloc.......`.......&..............@..B.................<......H.......$....m..............H(...;........................................{0...*..{1...*V.(2.....}0.....}1...*...0..;........u......,/(3....{0....{0...o4...,.(5....{1....{1...o6...*.*. .... )UU.Z(3....{0...o7...X )UU.Z(5....{1...o8...X*.0...........r...p......%..{0....................-.q.............-.&.+.......o9....%..{1....................-.q.............-.&.+.......o9....(:...*..{;...*..{<...*V.(2.....};.....}<...*...0..;........u......,/(3....{;....{;...o4...,.(5....{<..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-STPBV.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):70824
                                                                                                                                                                                                                          Entropy (8bit):6.236705505937758
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:dMDv5NwVvDK0HBDk4rVHe061i/kObvmaLLJBr+tTB7sK/T:SorK0HBDk4rV21HObvm2LJB4BAK/T
                                                                                                                                                                                                                          MD5:F7543F2749BAB00FB981A41BE19734F8
                                                                                                                                                                                                                          SHA1:8BE0A90C7C011EEF0A775A518F2A29CE4AB035AA
                                                                                                                                                                                                                          SHA-256:634CD208B4FE8DB050AC7D782CB953D51E266B62369F0F80B0CF9D10D077A76F
                                                                                                                                                                                                                          SHA-512:160FBEB4AE704D00800656274B7680003C64559867ACEFB9274A23A1AEE45A145254E66DF423653CC3776A2FFA2A4F98BA93510109CF9963AED4CEBA2913A106
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... F..........." ..0.............J.... ... ....... .......................`............`.....................................O.... ...................*...@......D...8............................................ ............... ..H............text...P.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................,.......H.......0<................................................................("...*^.("......I...%...}....*:.(".....}....*b.{....%-.&*..s#...o$...*.0..)........{.........(%...t......|......(...+...3.*....0..)........{.........('...t......|......(...+...3.*..((...*..{....*"..}....*..{....*"..}....*..{....*"..}....*2.(....s)...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..((...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..((...*..{....*"..}....*..{

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-UCOLB.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):80784
                                                                                                                                                                                                                          Entropy (8bit):6.644018601476374
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:hwe4Dxq2afEZznigIM8U/w2ZAfiQ922f5qj1NrVuu26zmb:h54DxLaQAOw2C7922i1JVN6b
                                                                                                                                                                                                                          MD5:056A3B1C036A46447EBCA7083DA271A5
                                                                                                                                                                                                                          SHA1:8044FD37E124DF9BAFCE4311DB66D6B931120006
                                                                                                                                                                                                                          SHA-256:6BEDFFF38EB390D01F0D51340B7B4F8F7B3D1C1C6CEE8888C0A8088EDA19283D
                                                                                                                                                                                                                          SHA-512:3399C06120F32219D611D976D778654A2628AC5BA0FA778512FE1101EE461663C5D5819ED5EECF90363F70E69108F5DAA1A3E71E81BB7F9F635AED8908997852
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............(... ...@....... ..............................M.....`..................................'..O....@..(................'...`..........p............................................ ............... ..H............text........ ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B.................'......H........[..............................................................*....(....**....(....**....(....**....(....*..(&.....%-.&(....}......%-.&...'...s(...}......%-.&s....}....*j...(....%-.&.{......o)...*...0..........s........%-.&~*.......,(...+-....(......-..(,...-....(......-..*..o-...}_....o....(,...,.r...p+..o........{_.....(....}`....{`...-..*.......s/...*...0.............(......-..*.o0.....o1.....(.....(...+o.....+w.o..........o3........(4...,/.(5...(..........%...%.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\is-UPKPF.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):41128
                                                                                                                                                                                                                          Entropy (8bit):6.401085070695131
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:lQq+jQ+JutCjyVmF8Wq8sBP3/7lpKaDBuz3bzrzlJBOKipq8pdwYv4qzsYiCtRKS:4VutFQF873t3/77KaDBuz3bzrBJBOKiT
                                                                                                                                                                                                                          MD5:AD53B27150F1E38EF23BD155A07E2313
                                                                                                                                                                                                                          SHA1:3A9A4383B9286A0E1A3F4102BC56437A5A961E41
                                                                                                                                                                                                                          SHA-256:62DBC8A6D43D623E5F267B59A3C78807CB08EFBE37A06A67425C9458D8B985DA
                                                                                                                                                                                                                          SHA-512:F8D471175E39425F1E1613C60EDD9D1A98DBACC98E3F18746AA642524AFB7D9F9A299B2BE33629200AB94538BF95C78B6343DE193EE3AD48B1CFC1DD4E37E9D4
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z:..........." ..0..n..........&.... ........... ....................................`....................................O.......h............v...*..........@...8............................................ ............... ..H............text...,m... ...n.................. ..`.rsrc...h............p..............@..@.reloc...............t..............@..B........................H........6..PU............................................................{....*"..}....*..{....*"..}....*..~....}......s....}.....(........(.............s*...}....*....0..................,5...(A.....(.........,..~.....(.....s....o.......8..............0....B+......8..... . ...G+.. . ..;....8....~.....(.....s....o.....8....~.....(.....s....o.....+s.o.....~.....(....s....o......(....o ...r...p(!.......,...(.......{.....{....o"....(6...&+...(......s#...(.....+.+..*..0..F.......

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\nfapi.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):159368
                                                                                                                                                                                                                          Entropy (8bit):6.32384599449582
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:OcqXDYZbIkCKezJaoCNVljUmcmAs6Jm4AFt2iPaTatnhrOKK/E:9qbKwcB4njeXBSTcpOT/E
                                                                                                                                                                                                                          MD5:7AE17C855F3CC63174E90EA527B6138B
                                                                                                                                                                                                                          SHA1:0FE1E1B2252511F33EDA3FFCF1F8FC8586AB040A
                                                                                                                                                                                                                          SHA-256:26FF04208EC4D26EF4DDD9B3CF01C4D2A1544550BCD59EFDE6F30170053A1170
                                                                                                                                                                                                                          SHA-512:453BA41332A704F491FC9E1EE5FBE9F883EDDB4C26A71D207C93992726E9C5B7FEDC48EEEE2A2087F64B083F9473EE794FB2C8F3B77C9DBCBBC47B67816BD156
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y..............Y.......................................................................Rich....................PE..L.....[...........!.........................................................`..................................................P.... ..`............@.......0..(...0...............................0...@............................................text....w.......................... ..`.rdata...A.......P..................@..@.data....6....... ..................@....rsrc...`.... ......................@..@.reloc..2(...0...0..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Service\subinacl.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):301224
                                                                                                                                                                                                                          Entropy (8bit):5.822993671222324
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:I856+Aq4WBT5TjbyfQ5d2ap3BES3l+3p7z8p5+cyIqrKMjE3g2AJX5ex4uyj0bOP:v56+Aq4WBTWpSqXhpeEioU2U7/c
                                                                                                                                                                                                                          MD5:8E545EE7F96C317AADC4EDA0F0FCF481
                                                                                                                                                                                                                          SHA1:242F4D714B142C10368AA82AF91B0A06E0A4E33F
                                                                                                                                                                                                                          SHA-256:A67BBFB9EFE5C1CD55D3B8209093BA93370F1EAE4F03A0349696D7B45867EAFC
                                                                                                                                                                                                                          SHA-512:77EBC317804B3D0830E76156D93A38980CA113CA80B0A3A2051FDF00D2ABAC96A39AA9BF099AE9CC5AF1E27D14976B5C582096DD6B3AB7F521423FCE6EC11FDE
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.Y.1.Y.1.Y.1..l.[.1...>.].1.[.5.[.1.9.|.X.1...l.D.1.Y.0.p.1...n.V.1...Q.M.1...o.X.1...k.X.1.RichY.1.........PE..L...[..@.................J...................`...............................P......2............ ...........................=..T....@...............n...*..............................................@............................................text....I.......J.................. ..`.data...L....`.......N..............@....rsrc........@.......^..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\SingleInstanceApplication.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):160936
                                                                                                                                                                                                                          Entropy (8bit):5.261187861382329
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:kgeojL/a7WvVHjizsw+Uu5MBBA4TigO8K/1:5jDzvVDizsQWMB1iR/1
                                                                                                                                                                                                                          MD5:F3F2EB62314A960AD5F60B61A8193CBD
                                                                                                                                                                                                                          SHA1:FD77AD6D9F96762CD7EE8D17454D9A7490FD8148
                                                                                                                                                                                                                          SHA-256:0F74E741958310B8E65E3B2393828998DB075EBF4C5B29045707948C65CB03CC
                                                                                                                                                                                                                          SHA-512:A62D09CF93E604AE0282F05842B607216533800F82ABF75E7D0FF1E9DED5F748B9E34D5E38170F1C837A0957D15FC4C6DF101FF2BE48D90C880807D0FB95D3E6
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.Z...........!.........,......n:... ...@....... ....................................@..................................:..S....@..8)...........J...*...........8............................................... ............... ..H............text...t.... ...................... ..`.rsrc...8)...@...*..................@..@.reloc...............H..............@..B................P:......H........#......................P ............................................y.....3....f........UE#.H.NDC..\3,.|7...1...=.w..n.w.P5.y.......p.._Z@B..h..#,._...p...|..qXV..6.......i[..2;.'`..=.;...~....*..0..T.......(..........(....(......r...pr...p(...........s..........,..(......T+...~....(....T.*.~....,.~....o..........~....,.~....(..........*.0..e.......s.......o....s......r5..p.o ....r?..p.o ....rQ..pry..po .....s!........~.....("...s#.....r...p($...&*....0..A.......

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\System.Buffers.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):22696
                                                                                                                                                                                                                          Entropy (8bit):6.669675167195394
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:PICREYcfpyXOT9Z7a6WmYWXWIYiAh70FP27NBY3Yuv+9gfK:PIiE9QXM1xYioMK/Y/+9gi
                                                                                                                                                                                                                          MD5:657A48C8DA3DE14059498E383EBEF318
                                                                                                                                                                                                                          SHA1:ECCC9AB4E6804EB0581AC5BBD684B7DB5A13F028
                                                                                                                                                                                                                          SHA-256:201EC78B195DCE51330985026A8A4EC641F9ACE53429C5C2F5BB3F1CE7BEEC4A
                                                                                                                                                                                                                          SHA-512:C4F2410470BBEA5680958490B705C828254992441D27E5FB7837957583FDA8D639EA8D9EF00035DB63ABACF28C5E4560D642C1D19F144255908C44F5C37CE8DE
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oY.........." ..0..$..........:C... ...`....... ....................................@..................................B..O....`...................*...........A............................................... ............... ..H............text...@#... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................C......H.......h'..p............?..X...0A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..(....*R. ...(...+%-.&("...*^. ...(#....(...+&~ ...*.s%...*"..s&...*..('...*.*....0........................((

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\System.Memory.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):143528
                                                                                                                                                                                                                          Entropy (8bit):6.164743567434074
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:oxi8ae06y7Q0kSutmvEmFk0pBa/+h8k/6kY2F8xB0dhqABtx5yoG9Qd7n8K/m:Q0vDkSutmhFpYqtDqAhjMQdYK/m
                                                                                                                                                                                                                          MD5:24DF113016A58EB1D14691CFE947C2C8
                                                                                                                                                                                                                          SHA1:E32B2388C9BCB8BD3EEA1A87626B562A06F5E2F9
                                                                                                                                                                                                                          SHA-256:4DE9980CF1D3B45FC14F69EA4DFF6F456389C5E817344D44D6FA7C1A3276AFB5
                                                                                                                                                                                                                          SHA-512:10DD82391CF51885533A5F9F859D7E79A9016F6E6A24C0A04C9BE08EA4C5A951D73AF467EC89BAB191DAC4B37D51B0C0AB247A24CD05478AD6101A44E9FC0D48
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U..\.........." ..0.............b.... ... ....... .......................`......q[....@.....................................O.... ..8................*...@..........8............................................ ............... ..H............text...8.... ...................... ..`.rsrc...8.... ......................@..@.reloc.......@......................@..B................C.......H........,..L...........,.................................................((...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....()...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o*....{....(a...*..(....zN........o+...s,...*.(....z.s-...*..(....zF(U....(O...s....*.(....z.(V...s....*.(....z.s/...*.(....z.s0...*..(....zN........o+...s1...*.(....zrr...p(\....c.M...(O...s2...*.(....zBr...p(Y...s2...*.(....z.s3...*.(....z.(X...s4...*.(!...z.(_...s4...*.(#...z

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\System.Numerics.Vectors.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):110760
                                                                                                                                                                                                                          Entropy (8bit):5.479763068610726
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:hpKSyD3hoE3PQU9xb1iPKHKWU//6hE2rkQQc76rK/8:qSyLhZ/X9xb1YKqn/unQcOrK/8
                                                                                                                                                                                                                          MD5:3FC875FFEFAC2BBA64E6F2A6A7CFF45B
                                                                                                                                                                                                                          SHA1:CAB48D6D156261CD9612633D70A61DA670D0D093
                                                                                                                                                                                                                          SHA-256:5A12A8D3CA02716C616F56342C920422966ABF79B49C4B1E1C7FF36E97764E1B
                                                                                                                                                                                                                          SHA-512:DDA0B6F0587D7915B490FFA2225E72374A2AA671E2019ABDC72EB7598B642906CF09302575C5B5B495B832FF434D45BAD0650C0409358E5D1786F4561FAE3636
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oY.........." ..0..v..........j.... ........... ....................................@.....................................O........................*..........t................................................ ............... ..H............text...pu... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B................K.......H.......,S..0>..........\.................................................(....*&.l(....k*&.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(....*......(....*...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\System.Runtime.CompilerServices.Unsafe.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):16768
                                                                                                                                                                                                                          Entropy (8bit):6.361391591273708
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:LGLxTyHvc4ROgcxAdWXYWJeaPtWsI9A9GaHnhWgN7aJeWw0fnCsqnajt:LgGLROZAdWXYW8aPcyHRN7WEqn1lx
                                                                                                                                                                                                                          MD5:DA04A75DDC22118ED24E0B53E474805A
                                                                                                                                                                                                                          SHA1:2D68C648A6A6371B6046E6C3AF09128230E0AD32
                                                                                                                                                                                                                          SHA-256:66409F670315AFE8610F17A4D3A1EE52D72B6A46C544CEC97544E8385F90AD74
                                                                                                                                                                                                                          SHA-512:26AF01CA25E921465F477A0E1499EDC9E0AC26C23908E5E9B97D3AFD60F3308BFBF2C8CA89EA21878454CD88A1CDDD2F2F0172A6E1E87EF33C56CD7A8D16E9C8
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!................^2... ...@....@.. ...............................y....@..................................2..S....@...................#...`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@2......H........#..@...................P ......................................{.v.`)!.t..@.62C<.=...h....X..}.`v.r...g.e...yXa.dat.mwQ.XdJ...M..`..J...$|.j.6W.U.3.r.A.h.....9Q..|..,<g..gy..6V9o%..Gd.r.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\System.Threading.Tasks.Extensions.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):25984
                                                                                                                                                                                                                          Entropy (8bit):6.291520154015514
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:1R973o62/KqcAnb05J3w0I5eUGef8s72XBWdvVW2JW8aJcyHRN7WEimpplex:1RZ4nNxnYTb6Blha
                                                                                                                                                                                                                          MD5:E1E9D7D46E5CD9525C5927DC98D9ECC7
                                                                                                                                                                                                                          SHA1:2242627282F9E07E37B274EA36FAC2D3CD9C9110
                                                                                                                                                                                                                          SHA-256:4F81FFD0DC7204DB75AFC35EA4291769B07C440592F28894260EEA76626A23C6
                                                                                                                                                                                                                          SHA-512:DA7AB8C0100E7D074F0E680B28D241940733860DFBDC5B8C78428B76E807F27E44D1C5EC95EE80C0B5098E8C5D5DA4D48BCE86800164F9734A05035220C3FF11
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..8...........V... ...`....... ....................................@..................................V..O....`...............B...#..........PU............................................... ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................V......H........0...$...................T........................................(....*..(....z..(....z2.(....s....*2.(....s....*:........o....*.~....*~.-..(......}......}......}....*~.-..(......}......}......}....*Z..}......}......}....*J.{....%-.&.*o....*^.u....,........(....*.*~.{.....{....3..{.....{......*.*&...(....*2...(.......*....0..'........{......,..u....%-.&..(...+(....*(....*n.{....,..(....s....*.q....*..0..a.........{....o0.....,;..{....o2...(......;...3.~.......s......

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Updater.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):354984
                                                                                                                                                                                                                          Entropy (8bit):6.846739611307464
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:jbz6pzdD/rIJXiQTutgCNktQFvmnoxXTS4ubCjrKglegtKop/4:G9FrIJJaqCNktA+SXfUCP9lvtKop/4
                                                                                                                                                                                                                          MD5:D822226C4B35A7305269C8E16E542D3E
                                                                                                                                                                                                                          SHA1:12F92D16608AAC1C39DDC92BA2B5AB8B5AAE6C30
                                                                                                                                                                                                                          SHA-256:FC504A3F68150AFC8C3304E5528867BF99EDDE0F3707406A30371062DDD86A0E
                                                                                                                                                                                                                          SHA-512:3A3A18D96716BD1033C35B06B73674FF6CBBEBE8F5025D0BE260F649FB268745290139B6501B9E208EB43EC5D76C2ABBA0A34C1E2F7E0E9F25E14C41F54E3914
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I}f.........."...0......D......6.... ... ....@.. ..............................o.....`.....................................O.... ..tA...........@...*........................................................... ............... ..H............text...<.... ...................... ..`.rsrc...tA... ...B..................@..@.reloc...............>..............@..B........................H........'... ...........G...............................................~....*.......*..,!.(...+.1..(...+(....-..(...+(....s....%o....%.o....o....&*....0..5........r...p.s....(.....{....,.*..}....r!..p.s.......(....*"..}....*..(....*.rY..p.....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...0............j(......j(.....(....,#.(....o....,..(....o ....(....o!.....(......&...s"...(.....(

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\Updater.exe.config (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1106
                                                                                                                                                                                                                          Entropy (8bit):5.038231865445437
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:2dV8F7H3p2/+XBPpZp2/+XBPqp2/+XBw1irkV:cVg7C+XBR4+XBn+XBvrE
                                                                                                                                                                                                                          MD5:75E66AB540561A0C7D4160271F518243
                                                                                                                                                                                                                          SHA1:AD6501E407D216744B6C3DE76D7664D9581EBAD2
                                                                                                                                                                                                                          SHA-256:091AFFF3BB63024B5A7B14EA30306B6753858FD1A33FC8C98E3B5E65FE92FBE7
                                                                                                                                                                                                                          SHA-512:FCB55C0FDBB984B06AFF2FAFCAEA2596C175AA5A07D2F1A401305D3441338AA266A53D2DE7A7577684884A2E12CE3EE430B2E1D0210684A7EEFAF9EAA0DE115F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.... <appSettings>.. <add key="DownloadLocation" value=""/>.. </appSettings>.... <runtime>.... <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.... <dependentAssembly>.... <assemblyIdentity name="System.Runtime" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... <dependentAssembly>.... <assemblyIdentity name="System.Threading.Tasks" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... <dependentAssembly>.... <assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... </assemblyBinding>.... </runtime>

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\VPN.AdvancedNetwork.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):35496
                                                                                                                                                                                                                          Entropy (8bit):6.3704146545353355
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:yS78zRHlzbzaxUxU7y7y7y7S7CxUxU7y3K7yTyTTN77xNTOLSxY777DKoRREEK79:yS7DOOqf1RuhC5w78K/m
                                                                                                                                                                                                                          MD5:26592109F19A24EE91F039EBB40038C4
                                                                                                                                                                                                                          SHA1:C8846404EFEB44C6CBB242B4C107F7CCE865AD14
                                                                                                                                                                                                                          SHA-256:E3F74128991C128410498223D4185915528360AD3DA92CD01BC23B19D8C2C670
                                                                                                                                                                                                                          SHA-512:8B031C53F5529D50A80AE2A4803D7C34F9A71A54DA01A912D1DB4D77D9BC1F490AB634A32F2DF6009EB53A2E57CD21975F3E00AF111BFA8320DE550A17509CA1
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>............." ..0..X...........v... ........... ...............................S....`..................................v..O....................`...*...........v..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................v......H........3...B...........................................................0.................(n...........................s)...}................s%...}................s....}................s....}................s....}................s....} ...............s!...}!...............s....}"...............s....}#...............s=...}$...............s9...}%...............s5...}&...............sA...}'...............sE...}(...............s-...})...............s1...}*........(....(....(....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\VPN.Common.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60584
                                                                                                                                                                                                                          Entropy (8bit):6.4260026936119194
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:D0YiwXHy9lkD6vudI9C3dt8dNbm+ESg34o556bYIDwpFGpphsA/FIDbaFLdtlxn+:DxJ8kM9CHJ6bY3zkXX8u4iNa7ogBK/o
                                                                                                                                                                                                                          MD5:550D6E67BB1795B941E91840508BF7F6
                                                                                                                                                                                                                          SHA1:46E22693BDC92F4E8DD8C4C5433D233438A271EF
                                                                                                                                                                                                                          SHA-256:D4B4CEB77A3D429EE21412E5172AAC6E36C553E7D990137F212E5ADD6B9A9336
                                                                                                                                                                                                                          SHA-512:1271BEC8A700AC925B9AC13FDB84FFCCFFA6A1589FA3F9FA1361282C47BB8985A7C8F0335EFDD422E2A708BF2DD46458AEF64B4E2A54B8488F8ED53750337A23
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............r.... ........... ....................... ............`................................. ...O........................*..............8............................................ ............... ..H............text...x.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................T.......H.......T0..4.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*>.(....o4......*>.(....o4......*>.(....o2......*>.(....o2......*>.(....o2......*v.(....-..(....,..(....+..+..*..{....*"..}....*6..s....}....*..0............(......,...(k.....*....0..4.......s......(....}......}......}......}.....|......(...+*.0..Y.........(....o....r...p(....(c....(f....(g.....(......,&.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\VPN.OpenVpn.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):31912
                                                                                                                                                                                                                          Entropy (8bit):6.377831305172757
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:i4sSUSsK/Py54Iu67VMam4AX10KIUt0kYcT/EDYZGSPeyc8cHIlkLi7FIYihZM09:izNK/G4IfVswkYLy5L7yYihrK/Y/+mT
                                                                                                                                                                                                                          MD5:CE66CBCDA6D3B5047691C4AFF63CFE79
                                                                                                                                                                                                                          SHA1:358E3A2284798BE1C537756A41721B61643D2BEE
                                                                                                                                                                                                                          SHA-256:B8551ECBE96BB718BAA56E053589A7F16561BFDAB86575441EC5FBE528B32B8C
                                                                                                                                                                                                                          SHA-512:7BC26EDD1C018553B163B75250B5862D26B607C26BDBFB6934F0AC5CE20B04D1956EEAF3915CBCE2129CD992ECA6E1B1C311991427D485CB43969A05431270E4
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.C..........." ..0..J..........~h... ........... ..............................wt....`.................................*h..O....................R...*...........g..8............................................ ............... ..H............text....H... ...J.................. ..`.rsrc................L..............@..@.reloc...............P..............@..B................^h......H........1...5............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*&..(.....*...0...........s.......o.....+X..(.........(....o....o....&..(.........,!..r...po....&...(....o....o....&..r...po....&...(....-...........o ......o....o!.....+...*...........et.......0...........s"...%r...p.o#....%r...pr#..po#....%r+..prA..po#....%r]..p.($...o%...o#....%ro..p.($...o&............o....o'...o#....%r...p.($...o(....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\VPN.RAS.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):41128
                                                                                                                                                                                                                          Entropy (8bit):6.4006875255426365
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:dQq+jQ+JutCjyVmF8Wq8sBP3/7lpKaDBuz3bzrzlJBOKipq8pdwYv4qzsYiCtVK9:gVutFQF873t3/77KaDBuz3bzrBJBOKig
                                                                                                                                                                                                                          MD5:FDF4712500755002CD0FFD2F7BEA8C2A
                                                                                                                                                                                                                          SHA1:372F4D6F2F19A5DF96FCDEF566AE4761F7AFF2B5
                                                                                                                                                                                                                          SHA-256:D61A675E7D11A6DDF12E4CEBCABFD7BAAA24B86AD7B751BE19788E7A8A5ABE39
                                                                                                                                                                                                                          SHA-512:6484349215D1347FB3D77E6598AF740045AC416EE06370B8D89E91ECBA930E5AFFCE6F4840CE4ECD2214960E1884CCBE49710E5B5C1FEBE0C96F88A099AE2E4E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z:..........." ..0..n..........&.... ........... ....................................`....................................O.......h............v...*..........@...8............................................ ............... ..H............text...,m... ...n.................. ..`.rsrc...h............p..............@..@.reloc...............t..............@..B........................H........6..PU............................................................{....*"..}....*..{....*"..}....*..~....}......s....}.....(........(.............s*...}....*....0..................,5...(A.....(.........,..~.....(.....s....o.......8..............0....B+......8..... . ...G+.. . ..;....8....~.....(.....s....o.....8....~.....(.....s....o.....+s.o.....~.....(....s....o......(....o ...r...p(!.......,...(.......{.....{....o"....(6...&+...(......s#...(.....+.+..*..0..F.......

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\VPN.WireGuard.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):20136
                                                                                                                                                                                                                          Entropy (8bit):6.723147332362829
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:BaXxdsvBO/dITrZ+VK6G6IYi+PVl0FP27NBY3Yuv+t+QV:BJZl6GHYiGIK/Y/+tB
                                                                                                                                                                                                                          MD5:14A266CFF3BC7795C208096E24D4791D
                                                                                                                                                                                                                          SHA1:D55A976C562A309B4EEB860E711324A22357470E
                                                                                                                                                                                                                          SHA-256:2C2E075009E736927EBC468CDFB7FF273F73670DF87A057C7B98D18A17CA945D
                                                                                                                                                                                                                          SHA-512:E4A82644052C82F3CFEBAFFF15DEF713F3883F3E32043FAFB607CEE008498329C2E5A5712B0FEE670D68C9CEE127EC70FEC88977B25AF838B5977595268CD252
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W/%..........." ..0.............^;... ...@....... ..............................}.....`..................................;..O....@...............$...*...`......l:..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................>;......H........$..............................................................F.(....r...p(....*..{....*"..}....*..0...........s......r...po....&.r-..p.(....o....(....o....&.rI..p.(....o....r_..p(....o....&.rg..p.(....o....(....o....&.(......,...ru..po....&..r...po....&.r...po....&.r...p.(....o....(....o....&.r...po....&.r...p.(....o....r...p(....o....&.(....o.....o....( ....*..r...p.(....o!...r...p(....r...p.(....o....r...p(....("...&*..r?..prK..p.(.........(#...("...&*..r?..pr...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\VPN.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):18088
                                                                                                                                                                                                                          Entropy (8bit):6.784018634948529
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:4iqjQN+Pw2X6VUYNVYuKAiIYiUOX0FP27NBY3Yuv+WO:fqjQ8f5uKAvYidgK/Y/+X
                                                                                                                                                                                                                          MD5:CD6CB12E677F6C45BBFE57DED6C90567
                                                                                                                                                                                                                          SHA1:C13525F597974BA46B4B2A71F270B1056332F77B
                                                                                                                                                                                                                          SHA-256:FA0E1B932B5548F39795B9C24106B48D6221600EA7679D6A1D1DEEED1C8D7D8C
                                                                                                                                                                                                                          SHA-512:6D9DC73035F3C053281C9347131C8EF232797507F28271B60428FCA4A82CC43689BF1FA3E6DCE46AE92BC3C0E924745F81E315D2E4D4BD2F5D7991DC78A58FBD
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X4y..........." ..0.............n3... ...@....... ....................................`..................................3..O....@..H................*...`.......2..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc...H....@......................@..@.reloc.......`......................@..B................N3......H........#................................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(........%-.&r...ps....z(.......(.....*.0..................,..rM..ps....z.(.........,...(....o.......(.......(.....s....o.........(....(......(....o......(....o........&..(.....r...ps....o........*..........tu.......0..B..........(....%-.&+.o.......*&..(.....(....%-.&.+.(......s....o........*.............*.....0..B..........(....%-.&+.o ......*&..(.....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\WpfAnimatedGif.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):53416
                                                                                                                                                                                                                          Entropy (8bit):6.326182355914875
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:x0Gl7W1UiZTo1ooEqTh0sq/s/MnBOyvUPrYZbkchJYi/S8K/Y/+A:6qQpZTsooEah0sqU/by4UZzhJ7K8K/S
                                                                                                                                                                                                                          MD5:C4BC370961A9E628E64B8FF4586D4DA6
                                                                                                                                                                                                                          SHA1:B391F6A1A54B693F14BA7E8CD58DD8976CDDC992
                                                                                                                                                                                                                          SHA-256:097B7F6F9ED8B63F0E725DE28D6842F6AC93D8105E441C7498385FAAD243A8C1
                                                                                                                                                                                                                          SHA-512:169FD48C453BC95D33137BDAA22225B483CF9BF73CBCE9AFB5B6BF63B62300CC98A968F1D825348CDB8C786232B66D62247659FD809B6B0D7BCBF26C7B4519A4
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................................@.................................J...O.......$................*..........h...T............................................ ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B................~.......H........H..Hq...........................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...' )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*...0..2..........(....~.......o"...-.~.....s#...%.o$.....o%...&*...0..A..........(....~.......o"...,)..o&..., .o'...-.~.....o(

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\app-icon.ico (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:MS Windows icon resource - 3 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):15086
                                                                                                                                                                                                                          Entropy (8bit):3.1108966039740653
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:96:FajQ4xW97nzsbzW+0eTODzfHvt0K/UrPdlMoi5U:FTd7nzsbyyqvt1/URiby
                                                                                                                                                                                                                          MD5:BC1059DA39659B80A09C994AE6DB5DB7
                                                                                                                                                                                                                          SHA1:D7E9D74133C98F897B94C42F09B93F10E3274EDB
                                                                                                                                                                                                                          SHA-256:9543C96124919AE5B672FD7C23CCF5946A37FBB83A174112A33DA9FF37449B43
                                                                                                                                                                                                                          SHA-512:F88CD2EC86E52EF31C471E580A9733D7DAAA7E3062C7DBCAAF9E50308934A4B679B364A4C1372D9021D9F5A504D5C310B8F631799AFA3248878B4F55A6CB704B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:............ .h...6... .... .........00.... ..%..F...(....... ..... .....@...................................2..A!...........................................................3..#.... ..-...................................................................m....................................................`.............. ................................................... ..]...............G........................................................ ...!...&...,{..........................7...................!...!... ... ......U....................U...+.../...,...'.......................,..7....................4..7(...)...-...4...@...>...2...........N.......................*..M&...*.......0...7...Y...j...r...?..i............................(..M...............................................................`...!..}..............._................................................0..!"..............5.......................................................I......................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\fix-dns-leak-32.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):25768
                                                                                                                                                                                                                          Entropy (8bit):6.8288213942048985
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:tNjMaZomdl7FUC9mhsCVoNycrjIg9J197j26QIYidYFl0FP27NBY3Yuv+tiV:tHhShzuD/Bpa65YiGFuK/Y/+tiV
                                                                                                                                                                                                                          MD5:37E6E1D07988932C4360D74A34B27AE9
                                                                                                                                                                                                                          SHA1:F53AE2462ECC565EFCC28D1C5BB2C285BF899798
                                                                                                                                                                                                                          SHA-256:7E321840FA4F112D0F117D8F4E4DDCA274829693CD1C1189CE1061B6F67550FF
                                                                                                                                                                                                                          SHA-512:EFB94F19A885D20BF602AFE84CDD4FE5E9CE89B3A5B7D0BD5273546A6B5D894AD6F1359545DC6B2EEDE06FCB06790286CB69EFB153F249D7D8EF0C677C5D1B3A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.a.pi.Hpi.Hpi.H68.Hri.H68.H|i.H68.Hri.H68.Hti.H...Hqi.H...Hyi.Hpi.HFi.H};.Hsi.H};.Hqi.H};.Hqi.H};.Hqi.HRichpi.H........PE..L....q.Z...........!.................$.......0...............................p............@..........................7......D:.......P...............:...*...`..x...................................p4..@............0...............................text............................... ..`.rdata.......0......."..............@..@.data...\....@.......2..............@....rsrc........P.......4..............@..@.reloc..x....`.......6..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\iphelperclose.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):116872
                                                                                                                                                                                                                          Entropy (8bit):6.726218253535254
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:8tw0r3S8FpUCSBCLiXdb0NphY3kWlon6ZhPn8agN6K/p:8mWi8FpCBCLybQakA/Pn8agNj/p
                                                                                                                                                                                                                          MD5:B9F4D43230B7FB66B95AF05DC03B32DE
                                                                                                                                                                                                                          SHA1:56F868C56FFF836CA61055499988F965DCA37D26
                                                                                                                                                                                                                          SHA-256:A103634B16841E3A68DD4A6BCBDFC3A1651B8C9F1114D99BF01CA31297664E21
                                                                                                                                                                                                                          SHA-512:50EB5DE7D0A1B5D7E1AC38209488635EF77733C2C78DC39D0D473904128DBFC67D4E3EC388D2C2D79645AFDF03FD1965386F6E6D21553C9A6DAB07A58549FD1E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V.n.7.=.7.=.7.=.S.<.7.=.S.<o7.=.S.<.7.=._.<.7.=._.<.7.=._.<.7.=.S.<.7.=.7.=.7.=._.<.7.=._.<.7.=._3=.7.=._.<.7.=Rich.7.=........................PE..L...q._]...........!................O........0............................................@.............................T.......<.......................................p...............................@............0...............................text............................... ..`.rdata..4g...0...h..................@..@.data...4...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-08KKK.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):25768
                                                                                                                                                                                                                          Entropy (8bit):6.8288213942048985
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:tNjMaZomdl7FUC9mhsCVoNycrjIg9J197j26QIYidYFl0FP27NBY3Yuv+tiV:tHhShzuD/Bpa65YiGFuK/Y/+tiV
                                                                                                                                                                                                                          MD5:37E6E1D07988932C4360D74A34B27AE9
                                                                                                                                                                                                                          SHA1:F53AE2462ECC565EFCC28D1C5BB2C285BF899798
                                                                                                                                                                                                                          SHA-256:7E321840FA4F112D0F117D8F4E4DDCA274829693CD1C1189CE1061B6F67550FF
                                                                                                                                                                                                                          SHA-512:EFB94F19A885D20BF602AFE84CDD4FE5E9CE89B3A5B7D0BD5273546A6B5D894AD6F1359545DC6B2EEDE06FCB06790286CB69EFB153F249D7D8EF0C677C5D1B3A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.a.pi.Hpi.Hpi.H68.Hri.H68.H|i.H68.Hri.H68.Hti.H...Hqi.H...Hyi.Hpi.HFi.H};.Hsi.H};.Hqi.H};.Hqi.H};.Hqi.HRichpi.H........PE..L....q.Z...........!.................$.......0...............................p............@..........................7......D:.......P...............:...*...`..x...................................p4..@............0...............................text............................... ..`.rdata.......0......."..............@..@.data...\....@.......2..............@....rsrc........P.......4..............@..@.reloc..x....`.......6..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-08UCO.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):108200
                                                                                                                                                                                                                          Entropy (8bit):7.332504567097915
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:Gn5VJM3T5szyxa9PuIKb8wmtyYVzH0cfNbQSi/GoP4YNjZ34A7GZK/ZIVQ:GWsEa9GIdyAUKWeYNl34AwK/ZV
                                                                                                                                                                                                                          MD5:261A5044C94F318DEEA20D178ED9F36E
                                                                                                                                                                                                                          SHA1:2A9704F70A543EE219481A3AA756A0CF151E1999
                                                                                                                                                                                                                          SHA-256:D17E9B0C62C224D1BA56E7206D8A44FE382FE99752C511BA211A7725D83FEF43
                                                                                                                                                                                                                          SHA-512:E53C320DBF6B2AAEEC01FE5AFF1FAD5A8D75B2483A78BA0E1B510F2A7A8C5C510ACD603541734F4A002748D0781FC11AFBF6967EBCDB41A6FC9A29C828ABC2A3
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...l.g..........." ..0..p.............. ........... ....................................`.....................................O....................|...*..............p............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............z..............@..B........................H........O..|w..................,.......................................V!.)1......s.........*...0..$........u......,...o....*.u......,...o....*.0..&........u......,....o ...*.u......,....o!...*...0..&........u......,....o"...*.u......,....o#...*B.(Y...-.(....*.*..{!...*"..}!...*>.{....o.......*.0..9........(*.....($.....(......,..o%...-..,..o&...-..,..o%...*.*.*....0...........s'...}.....((....(....-..s....+.(....}......{....o....(....}.....(!....{...........s)...o.....{....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-0QPA2.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):26752
                                                                                                                                                                                                                          Entropy (8bit):6.512503595653532
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:DulwnBhYlTVv2wK5idcgF4of1n6K9zUYJ:ywHYFtKYdcg/f1nXzUYJ
                                                                                                                                                                                                                          MD5:970B6E6478AE3AB699F277D77DE0CD19
                                                                                                                                                                                                                          SHA1:5475CB28998D419B4714343FFA9511FF46322AC2
                                                                                                                                                                                                                          SHA-256:5DC372A10F345B1F00EC6A8FA1A2CE569F7E5D63E4F1F8631BE367E46BFA34F4
                                                                                                                                                                                                                          SHA-512:F3AD2088C5D3FCB770C6D8212650EED95507E107A34F9468CA9DB99DEFD8838443A95E0B59A5A6CB65A18EBBC529110C5348513A321B44223F537096C6D7D6E0
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...$:............" ..0..4...........S... ...`....... ....................................`..................................S..O....`...............@...(...........R..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............>..............@..B.................S......H........'..P*..................,R........................................(....*..(....*^.(.......1...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*..(....*..(....*..(....*..(....*:.(......}....*..{....*:.(......}....*..{....*:.(......}....*..{....*..(....*:.(......}....*..{....*^.(.......2...%...}....*:.(......}....*..{....*z.(......}.......2...%...}....*V.(......}......}....*..{....*..{....*:.(......}....*..{....*..{....*"..}....*..{....*"..}....*..{

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-0UVIJ.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):22184
                                                                                                                                                                                                                          Entropy (8bit):6.685941492131545
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:1hKpVrz0BH8aZqmgBTKDAATaYIYikfF0FP27NBY3Yuv+8N:1hKpVcB15KO7aBYimOK/Y/+g
                                                                                                                                                                                                                          MD5:AAA9DA932D572F5B22CBEE1B4E479ED6
                                                                                                                                                                                                                          SHA1:D708727DED1298610C2E3D72C8792F12FC60CFF2
                                                                                                                                                                                                                          SHA-256:73B55714DB609A1712FD4FC420CE18441E41BB7E3E94D73B11AE28C68CCB1124
                                                                                                                                                                                                                          SHA-512:40A8E2CB18FB2D68F0945B6FBF259FA9331327116A6D21A85AAE6AA12600F7FDD3737B5E84E0AE04C584442016882926D9201E16C25EB937838C8BAC24358779
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...z............." ..0.."...........A... ...`....... ...............................6....`..................................A..O....`..`............,...*...........@..T............................................ ............... ..H............text...."... ...".................. ..`.rsrc...`....`.......$..............@..@.reloc...............*..............@..B.................A......H........'.......................@.......................................(....*..0...............(....o........(....s....*...0............(.......(....s....(....*6r...p..(....*.0.._.......s!.....s....}.....{....r...p.r'..p(....o.........."...s....(....%~....(....,..{....o....s....z*..0..#.......(......-...(....*..3...(....*s....z...(....%~....(....,.r=..p.r'..p(....s....z*..0..#.......(......-..(....&*..3..(....&*s....z..0..7..........~....%-.&~..........s....%.....(.........

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-16JBJ.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):160936
                                                                                                                                                                                                                          Entropy (8bit):5.261187861382329
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:kgeojL/a7WvVHjizsw+Uu5MBBA4TigO8K/1:5jDzvVDizsQWMB1iR/1
                                                                                                                                                                                                                          MD5:F3F2EB62314A960AD5F60B61A8193CBD
                                                                                                                                                                                                                          SHA1:FD77AD6D9F96762CD7EE8D17454D9A7490FD8148
                                                                                                                                                                                                                          SHA-256:0F74E741958310B8E65E3B2393828998DB075EBF4C5B29045707948C65CB03CC
                                                                                                                                                                                                                          SHA-512:A62D09CF93E604AE0282F05842B607216533800F82ABF75E7D0FF1E9DED5F748B9E34D5E38170F1C837A0957D15FC4C6DF101FF2BE48D90C880807D0FB95D3E6
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.Z...........!.........,......n:... ...@....... ....................................@..................................:..S....@..8)...........J...*...........8............................................... ............... ..H............text...t.... ...................... ..`.rsrc...8)...@...*..................@..@.reloc...............H..............@..B................P:......H........#......................P ............................................y.....3....f........UE#.H.NDC..\3,.|7...1...=.w..n.w.P5.y.......p.._Z@B..h..#,._...p...|..qXV..6.......i[..2;.'`..=.;...~....*..0..T.......(..........(....(......r...pr...p(...........s..........,..(......T+...~....(....T.*.~....,.~....o..........~....,.~....(..........*.0..e.......s.......o....s......r5..p.o ....r?..p.o ....rQ..pry..po .....s!........~.....("...s#.....r...p($...&*....0..A.......

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-20AM3.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):20136
                                                                                                                                                                                                                          Entropy (8bit):6.723147332362829
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:BaXxdsvBO/dITrZ+VK6G6IYi+PVl0FP27NBY3Yuv+t+QV:BJZl6GHYiGIK/Y/+tB
                                                                                                                                                                                                                          MD5:14A266CFF3BC7795C208096E24D4791D
                                                                                                                                                                                                                          SHA1:D55A976C562A309B4EEB860E711324A22357470E
                                                                                                                                                                                                                          SHA-256:2C2E075009E736927EBC468CDFB7FF273F73670DF87A057C7B98D18A17CA945D
                                                                                                                                                                                                                          SHA-512:E4A82644052C82F3CFEBAFFF15DEF713F3883F3E32043FAFB607CEE008498329C2E5A5712B0FEE670D68C9CEE127EC70FEC88977B25AF838B5977595268CD252
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...W/%..........." ..0.............^;... ...@....... ..............................}.....`..................................;..O....@...............$...*...`......l:..8............................................ ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................>;......H........$..............................................................F.(....r...p(....*..{....*"..}....*..0...........s......r...po....&.r-..p.(....o....(....o....&.rI..p.(....o....r_..p(....o....&.rg..p.(....o....(....o....&.(......,...ru..po....&..r...po....&.r...po....&.r...p.(....o....(....o....&.r...po....&.r...p.(....o....r...p(....o....&.(....o.....o....( ....*..r...p.(....o!...r...p(....r...p.(....o....r...p(....("...&*..r?..prK..p.(.........(#...("...&*..r?..pr...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-28BDQ.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):117928
                                                                                                                                                                                                                          Entropy (8bit):6.160360774488817
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:Hzne5lbC/VlCG2OWMMdWWbWbWw+Hfz+8lKbchOD07PQCFP1IYmDe/WAbBuhEK/a:HFO4WMMdWWbWbWw+Hfz+8lKbchOD07PP
                                                                                                                                                                                                                          MD5:FDFDFE021B53B630939D27C6C90CB435
                                                                                                                                                                                                                          SHA1:AA0987A6EA6987BB9930B9167EC31C249EF9D885
                                                                                                                                                                                                                          SHA-256:D753A7EF62BABC2ADB5D1DBEB0BEBAA2B042CC01CC219726F32F761BBB0A711D
                                                                                                                                                                                                                          SHA-512:1FD0C74D0ED3AC4DF26D3E95C0F133E8024D77D1FD06E0C76C630D6AAC7B81124AA1DCA7CFFAC43BC34252A057414F8C3F8EC63A805323B1EF892B5F6A277D3B
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....8............" ..0................. ........... ..............................U.....`.................................w...O........................*..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.........................................................................{ ...*..{!...*V.(".....} .....}!...*...0..A........u........4.,/(#....{ ....{ ...o$...,.(%....{!....{!...o&...*.*.*. '.(k )UU.Z(#....{ ...o'...X )UU.Z(%....{!...o(...X*...0..b........r...p......%..{ ......%q.........-.&.+.......o)....%..{!......%q.........-.&.+.......o)....(*...*>..su...%.}^...*...0...........(+...,..*...(....o.....8t....o......-2.{,....{-.....g...%..".o.....(/...s0...sk....88....{,...r

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-2E77U.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):147848
                                                                                                                                                                                                                          Entropy (8bit):6.032707503792338
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:yiq8kuub1o2/5pds7tUMZNFxtPwVrHlGZ6U1SiWUwBpXtNpTE1MNniv:WFwzFQ9FGZ1SityhtNpTECU
                                                                                                                                                                                                                          MD5:B6DB385295FA78A6AABCF217FD3C3F83
                                                                                                                                                                                                                          SHA1:71E2A93223A6B8204EED6B9834284C0FA1D7EBD0
                                                                                                                                                                                                                          SHA-256:ABF40F07643E6D29D0817021991F9D27410B7DCAEF80980D849634ACEF255BDC
                                                                                                                                                                                                                          SHA-512:122FDB77C0AC6A7A2ECF5519BB059097EF119390E6D3C34F9FAB303D60279EE8649175617E3B6FC2A3D118B422CE8BC1BFFC208332D0A9F012271325AC0A0EE7
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....@..........." ..0..............1... ...@....... ..............................0b....`.................................71..O....@...................'...`.......0..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................k1......H.......8...d].................../.......................................0..s........r...p(......(....,.r...psK...z.rW..po....-.r[..pro..p(X....*s.....~.....o....o......+8..o....t.........o.....o ...o!.....o.....o ...o!...o".....o#...-.....u........,...o$.....r...po%...,.r[..pr...p(X....*.rS..po%...,.r[..prg..p(X....*~&....~&......o%...,.....o'...&..o%...,.....o'...&.(....,..(....,.r...p.r...p((...sK...z.(....-&.(....-.r...p.r%..p((.....r)..p.((.....*.......U.E........(....*.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-36F8B.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1106
                                                                                                                                                                                                                          Entropy (8bit):5.038231865445437
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:2dV8F7H3p2/+XBPpZp2/+XBPqp2/+XBw1irkV:cVg7C+XBR4+XBn+XBvrE
                                                                                                                                                                                                                          MD5:75E66AB540561A0C7D4160271F518243
                                                                                                                                                                                                                          SHA1:AD6501E407D216744B6C3DE76D7664D9581EBAD2
                                                                                                                                                                                                                          SHA-256:091AFFF3BB63024B5A7B14EA30306B6753858FD1A33FC8C98E3B5E65FE92FBE7
                                                                                                                                                                                                                          SHA-512:FCB55C0FDBB984B06AFF2FAFCAEA2596C175AA5A07D2F1A401305D3441338AA266A53D2DE7A7577684884A2E12CE3EE430B2E1D0210684A7EEFAF9EAA0DE115F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.... <appSettings>.. <add key="DownloadLocation" value=""/>.. </appSettings>.... <runtime>.... <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.... <dependentAssembly>.... <assemblyIdentity name="System.Runtime" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... <dependentAssembly>.... <assemblyIdentity name="System.Threading.Tasks" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... <dependentAssembly>.... <assemblyIdentity name="System.Net.Http" publicKeyToken="b03f5f7f11d50a3a" culture="neutral"/>.... <bindingRedirect oldVersion="0.0.0.0-4.0.0.0" newVersion="4.0.0.0"/>.... </dependentAssembly>.... </assemblyBinding>.... </runtime>

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-36FVS.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):70824
                                                                                                                                                                                                                          Entropy (8bit):6.23750269831583
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:rMDv5NwVvDK0HBDk4rVHe061i/kObvmaLLJBr+tTe7TK/SB0:UorK0HBDk4rV21HObvm2LJB4eHK/SO
                                                                                                                                                                                                                          MD5:0F7D6DEE75C3FBB958529AB6A351CBDF
                                                                                                                                                                                                                          SHA1:1CA639AB692ECD972C51C8BF826BF9BF089359FE
                                                                                                                                                                                                                          SHA-256:C5B07CBACD0FF045485A0A4CE6FB3CCB330A0623E3EFE347D61DA4E698FDE412
                                                                                                                                                                                                                          SHA-512:58F0B5ED44E3290D6C9FB0E624F2A351CD5BB4744A84AC55AC47FB1B087026DE4DBAA6BBC83255EEC51A2BB3ED9A680EF53E8FC7035586B4A74CA68016AE0F5D
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.... F..........." ..0.............J.... ... ....... .......................`...........`.....................................O.... ...................*...@......D...8............................................ ............... ..H............text...P.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................,.......H.......0<................................................................("...*^.("......I...%...}....*:.(".....}....*b.{....%-.&*..s#...o$...*.0..)........{.........(%...t......|......(...+...3.*....0..)........{.........('...t......|......(...+...3.*..((...*..{....*"..}....*..{....*"..}....*..{....*"..}....*2.(....s)...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..((...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..((...*..{....*"..}....*..{

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-3DN0E.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):75432
                                                                                                                                                                                                                          Entropy (8bit):6.020201057914009
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:mjb2NmqeZsE64aEKbMsZG0EN3ovewf8KnWE7LJ/ZEBiUN7TK/P:mjbUmqWL3M/WkV2ZNHK/P
                                                                                                                                                                                                                          MD5:8DC8D595216B1D7703575B77282F7147
                                                                                                                                                                                                                          SHA1:5FBA510AB9D9677B5AF28757BFCFC3E6EE3228F5
                                                                                                                                                                                                                          SHA-256:7A8833790323071279C55854F35A1A802BF5D5766CABCFA381889460F95D5864
                                                                                                                                                                                                                          SHA-512:F1E79E49CF5F10C9BC88D2AAA078FABD772027360A8C9692334AC3BBCDFEEDD93C2C6234F4DE6C6B4AFBD443FD6315633FE8943229EE0CB8CA6A6F29C2AE97EE
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e.Z..........." ..0.............".... ... ....... .......................`......E.....`.....................................O.... ...................*...@..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H.......pG...................... .......................................6.......(....*.~....*F~J......o.......*N........s....o...+*..0............(........~......o2...*.0............(........~K.....o....*.0..%.........(..........(........~L.......o....*....0..H.........(..........(........~M....o.............(....(.........{........o....*2~$....o....*2~#....o....*2~H....oz...*6~I.....o~...*:~J......o....*2~%....o....*2~&....o....*>.(.......o....*...0..N........,........s.....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-4DL4Q.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):110760
                                                                                                                                                                                                                          Entropy (8bit):5.479763068610726
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:hpKSyD3hoE3PQU9xb1iPKHKWU//6hE2rkQQc76rK/8:qSyLhZ/X9xb1YKqn/unQcOrK/8
                                                                                                                                                                                                                          MD5:3FC875FFEFAC2BBA64E6F2A6A7CFF45B
                                                                                                                                                                                                                          SHA1:CAB48D6D156261CD9612633D70A61DA670D0D093
                                                                                                                                                                                                                          SHA-256:5A12A8D3CA02716C616F56342C920422966ABF79B49C4B1E1C7FF36E97764E1B
                                                                                                                                                                                                                          SHA-512:DDA0B6F0587D7915B490FFA2225E72374A2AA671E2019ABDC72EB7598B642906CF09302575C5B5B495B832FF434D45BAD0650C0409358E5D1786F4561FAE3636
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oY.........." ..0..v..........j.... ........... ....................................@.....................................O........................*..........t................................................ ............... ..H............text...pu... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B................K.......H.......,S..0>..........\.................................................(....*&.l(....k*&.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(....*......(....*...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-54TNI.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):301224
                                                                                                                                                                                                                          Entropy (8bit):5.823114295644
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:I856+Aq4WBT5TjbyfQ5d2ap3BES3l+3p7z8p5+cyIqrKMjE3g2AJX5ex4uyj0bOa:v56+Aq4WBTWpSqXhpeEioU2Uh/b
                                                                                                                                                                                                                          MD5:4798226EE22C513302EE57D3AA94398B
                                                                                                                                                                                                                          SHA1:F42C6CFA4068263D955608DE47E60D099AD8B394
                                                                                                                                                                                                                          SHA-256:38F32C75433A2AF902D33511BC3BBBE5BBF66D87FEC7D3AD1694AECEEB7E485E
                                                                                                                                                                                                                          SHA-512:94BB5E38CBCDC1E40BBD3AB14A3C92C8C90F64EA1910108BB2DE80E00BEA358A13A063031B5E3417A55102DB238488F5C3E766A1AF3ACEDB8806FEC5DD81990C
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.Y.1.Y.1.Y.1..l.[.1...>.].1.[.5.[.1.9.|.X.1...l.D.1.Y.0.p.1...n.V.1...Q.M.1...o.X.1...k.X.1.RichY.1.........PE..L...[..@.................J...................`...............................P................... ...........................=..T....@...............n...*..............................................@............................................text....I.......J.................. ..`.data...L....`.......N..............@....rsrc........@.......^..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-5F0FB.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):432
                                                                                                                                                                                                                          Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                          MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                          SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                          SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                          SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-6DFPP.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):48256
                                                                                                                                                                                                                          Entropy (8bit):6.234996524588368
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:AMWC5N7mKWPKz4VJ4e0jeuTGlBh0JzqPPxofk3l9z2I:Y67hCfV8j3TGlB+JsafkHzP
                                                                                                                                                                                                                          MD5:37EB7CCE6E282D3572D64C880E1AC3C8
                                                                                                                                                                                                                          SHA1:9A2952589A19D650932E7C633577EB9AFC04F959
                                                                                                                                                                                                                          SHA-256:039155F155C5D14F5B73F4EE2CD1FBD9290F391B88A1D2A0BA815569205EDB74
                                                                                                                                                                                                                          SHA-512:E3C2EF1CC52E3AA5BD77B74DEC93A4FC9E908DF823426F13CA304265D41605DE51970CC8C7E18C2E76319D3225707B2EA2D8613402A25C4FBD3951E70FCFD521
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....v..........." ..0.................. ........... ....................................`.....................................O........................(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........=..da..........0.................................................(....*..(....*^.(.......>...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....**.-..(....*..s....z.~....*...0..........(....,..*..(.....o.......&...*...................0...........(.......(....-..,..*.*.(....,.r...p......%...%...(....*..( ...*.(....,.r...p......%...%...%...(....*...(!...*.(....,!r...p......%...%...%...%...(....*....("...*..,&(....,..r...pr...p.(....(#...*..($...*.*.(.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-7C1Q1.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):432
                                                                                                                                                                                                                          Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                          MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                          SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                          SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                          SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-7F3NE.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):53624
                                                                                                                                                                                                                          Entropy (8bit):6.18841715621451
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:mLtojuUUUbf/l0lwELEEEqi8g15qTLT5HGoV0weeezxSoL3G7Yl9zndG:mE17Iw8/i8gM5maee8SoL13zdG
                                                                                                                                                                                                                          MD5:B7ABAF6A90E95E585E71C0C22D90AF73
                                                                                                                                                                                                                          SHA1:C9756883D1738A9931D0BF58D6F69CBB8DFD5870
                                                                                                                                                                                                                          SHA-256:3BA247FDCC6953B5CC672A361983B7B0AF3051A83128970BCEBAB22036D1E859
                                                                                                                                                                                                                          SHA-512:3A67EF230A06FAE3095926EAD9AAF329009BC0F2ED6AA1E6683C426ADA29DDD9CB77EC3BE134DFC4CD10A1F675D518FB4986363C4FE649D4247770B96DBC7A56
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....#2..........." ..0.................. ........... ...............................0....`.....................................O.......................x'..........t...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........E...w..........................................................&...(....*2.r...p(....*V.(......}......}....*..{....*..{....*..{....*..(......}......}......}.......}.......}....*..{....*..{....*..{....*..{....*..{....*...0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...+...3.*..0..'.......~.........(....t............(...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-84KDK.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):29352
                                                                                                                                                                                                                          Entropy (8bit):6.56368110636982
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:vT6rilChUvVsYQTJMS6V4B6PYikK/Y/+V7:7qSsYOwP7kK/77
                                                                                                                                                                                                                          MD5:1CFBF0CBA3C87653D9639ADA438C3291
                                                                                                                                                                                                                          SHA1:07E36A34319EAD85857CC022E277B69EA132750B
                                                                                                                                                                                                                          SHA-256:3525FCE82E2687D8EFAF992147B196881818856EA9EA851A8DC930751329A8DD
                                                                                                                                                                                                                          SHA-512:E95FC978E889BD62E92975EFD8F39161B6E43FE97451068552E3A71635943F990E4E8697323794D75F77BB12F3DE4E2CFADB5B9D80EF90F1992C82298EBFD00B
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.i..........." ..0..@...........^... ...`....... ....................................`.................................:^..O....`...............H...*..........|]..8............................................ ............... ..H............text....>... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............F..............@..B................n^......H........1...+............................................................{....*:.(......}....*..0..)........u..........,.(.....{.....{....o....*.*.*v .5Q' )UU.Z(.....{....o....X*..0..:........r...p......%..{.......%q.........-.&.+.......o.....(....*..{....*:.(......}....*....0..)........u..........,.(.....{.....{....o....*.*.*v . .q )UU.Z(.....{....o....X*..0..:........r-..p......%..{.......%q.........-.&.+.......o.....(....*..{....*..{....*V.(......}......}....*.0..A.......

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-9JV4C.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):3070013
                                                                                                                                                                                                                          Entropy (8bit):6.39701754184779
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:BdJYVM+9JtzZWnoS2VC23aun8+f5KuGP+VYNCWNtdH333t7:HJYVM+LtVt3P/KuGP+VYNCuf333V
                                                                                                                                                                                                                          MD5:A2386053A831B1C65F9BB923F4F17A7B
                                                                                                                                                                                                                          SHA1:530BC9411C100138963776A527966EA98D2D1FD9
                                                                                                                                                                                                                          SHA-256:3AE0793AF74140734EC43A261FAD664E5871890F28F9CCC692B68B3D6E1A26E5
                                                                                                                                                                                                                          SHA-512:2E149D81B13101F9C38EE67396A92527AE5BFD8761D8187BAB635C7736B316E31D9A246DC14D934F28EEE4076F9B3FA78751F912D9CFEB6A032470997382D76F
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....gf..................*...........*.......*...@..........................P/...........@......@...................P,.n.....,.j:....,.$....................................................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.rsrc...$.....,.......+.............@..@.............`0......./.............@..@........................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-A12DA.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):25984
                                                                                                                                                                                                                          Entropy (8bit):6.291520154015514
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:1R973o62/KqcAnb05J3w0I5eUGef8s72XBWdvVW2JW8aJcyHRN7WEimpplex:1RZ4nNxnYTb6Blha
                                                                                                                                                                                                                          MD5:E1E9D7D46E5CD9525C5927DC98D9ECC7
                                                                                                                                                                                                                          SHA1:2242627282F9E07E37B274EA36FAC2D3CD9C9110
                                                                                                                                                                                                                          SHA-256:4F81FFD0DC7204DB75AFC35EA4291769B07C440592F28894260EEA76626A23C6
                                                                                                                                                                                                                          SHA-512:DA7AB8C0100E7D074F0E680B28D241940733860DFBDC5B8C78428B76E807F27E44D1C5EC95EE80C0B5098E8C5D5DA4D48BCE86800164F9734A05035220C3FF11
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..8...........V... ...`....... ....................................@..................................V..O....`...............B...#..........PU............................................... ............... ..H............text....6... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................V......H........0...$...................T........................................(....*..(....z..(....z2.(....s....*2.(....s....*:........o....*.~....*~.-..(......}......}......}....*~.-..(......}......}......}....*Z..}......}......}....*J.{....%-.&.*o....*^.u....,........(....*.*~.{.....{....3..{.....{......*.*&...(....*2...(.......*....0..'........{......,..u....%-.&..(...+(....*(....*n.{....,..(....s....*.q....*..0..a.........{....o0.....,;..{....o2...(......;...3.~.......s......

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-BPNEB.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):53416
                                                                                                                                                                                                                          Entropy (8bit):6.326182355914875
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:x0Gl7W1UiZTo1ooEqTh0sq/s/MnBOyvUPrYZbkchJYi/S8K/Y/+A:6qQpZTsooEah0sqU/by4UZzhJ7K8K/S
                                                                                                                                                                                                                          MD5:C4BC370961A9E628E64B8FF4586D4DA6
                                                                                                                                                                                                                          SHA1:B391F6A1A54B693F14BA7E8CD58DD8976CDDC992
                                                                                                                                                                                                                          SHA-256:097B7F6F9ED8B63F0E725DE28D6842F6AC93D8105E441C7498385FAAD243A8C1
                                                                                                                                                                                                                          SHA-512:169FD48C453BC95D33137BDAA22225B483CF9BF73CBCE9AFB5B6BF63B62300CC98A968F1D825348CDB8C786232B66D62247659FD809B6B0D7BCBF26C7B4519A4
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................................@.................................J...O.......$................*..........h...T............................................ ............... ..H............text........ ...................... ..`.rsrc...$...........................@..@.reloc..............................@..B................~.......H........H..Hq...........................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...' )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*...0..2..........(....~.......o"...-.~.....s#...%.o$.....o%...&*...0..A..........(....~.......o"...,)..o&..., .o'...-.~.....o(

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-DP0EK.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):2059432
                                                                                                                                                                                                                          Entropy (8bit):7.651137710710665
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24576:+3zNmj7tPN/PPINv2lYnvqfI1L3ciKKqjnTVlKJ+hgyiTebWmDXQHMkgXvYOdSYB:84vtPNvCv2Qqfobuvq+hqCTDgHMT
                                                                                                                                                                                                                          MD5:01CF6EF766C41BB2C99A2CCCDECC69C1
                                                                                                                                                                                                                          SHA1:8DD5EB983C1C8F2E3A2538E50295644BB778A69E
                                                                                                                                                                                                                          SHA-256:9A9B95CA40D32FA23A615A122FA3AAF7AEB32FBEF2850D729F77C1169FFC0452
                                                                                                                                                                                                                          SHA-512:9EE4D4D7852555F67CF0C9B372DCA87EC0727AB0A6FC5EAE309CF6BF5467FC75C6868A5E528D34AB605CDC736D30684D35A1451D4ABE3B99BA37D276474AC940
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....G............"...0......D........... ... ....@.. ...............................P ...`.................................^...O.... ...A...........B...*..............8............................................ ............... ..H............text........ ...................... ..`.rsrc....A... ...B..................@..@.reloc...............@..............@..B........................H.......DD..T`......-....... v...........................................0..O.......s....%.o....%.o ...%.o!...%..o".....o#........($........(%..._,...o&...(....*.*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...(.......(....(.......(....(.......(....(.....*.0..5........('...-..*.((.....o)...(*...(+...(,.......,..o-.....*............)........(....*2.(/...o0...*..(1...*.(2...*2.(....o3...*..(....o4...&.(.....o5....(.....o5....(....o6...&*2.(....o7

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-ESVSH.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):16768
                                                                                                                                                                                                                          Entropy (8bit):6.361391591273708
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:LGLxTyHvc4ROgcxAdWXYWJeaPtWsI9A9GaHnhWgN7aJeWw0fnCsqnajt:LgGLROZAdWXYW8aPcyHRN7WEqn1lx
                                                                                                                                                                                                                          MD5:DA04A75DDC22118ED24E0B53E474805A
                                                                                                                                                                                                                          SHA1:2D68C648A6A6371B6046E6C3AF09128230E0AD32
                                                                                                                                                                                                                          SHA-256:66409F670315AFE8610F17A4D3A1EE52D72B6A46C544CEC97544E8385F90AD74
                                                                                                                                                                                                                          SHA-512:26AF01CA25E921465F477A0E1499EDC9E0AC26C23908E5E9B97D3AFD60F3308BFBF2C8CA89EA21878454CD88A1CDDD2F2F0172A6E1E87EF33C56CD7A8D16E9C8
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!................^2... ...@....@.. ...............................y....@..................................2..S....@...................#...`....................................................... ............... ..H............text...d.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................@2......H........#..@...................P ......................................{.v.`)!.t..@.62C<.=...h....X..}.`v.r...g.e...yXa.dat.mwQ.XdJ...M..`..J...$|.j.6W.U.3.r.A.h.....9Q..|..,<g..gy..6V9o%..Gd.r.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-F4TDL.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):19624
                                                                                                                                                                                                                          Entropy (8bit):6.761472837087098
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:pwG3NNuGs7lkviba8FLdwIYieB0FP27NBY3Yuv+4pdS:F+V7PpFLdZYixK/Y/+4S
                                                                                                                                                                                                                          MD5:12A69C58D97C26D0132D493111E42345
                                                                                                                                                                                                                          SHA1:0DCC8570C7D76B660746A0F657607864F8764AD4
                                                                                                                                                                                                                          SHA-256:E6682B67F0C489BEB53C93C399D46CEAEBDD7096AD7DB984BF99DCC68E476F4C
                                                                                                                                                                                                                          SHA-512:3335371222BB282C55F1309432CD776CD146EFA9B6D17BF23997EFA6E3A741512FD95B9382EB719F400C6A70BD13E6A445A6011716B4C7637CF1083C8D669BE6
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............8... ...@....... ...............................P....`.................................j8..O....@..............."...*...`.......7..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................8......H.......L'..`............................................................0..?.........(....}.......}.......}.......}......|......(...+..|....(....*..0..7.........(....}.......}.......}......|......(...+..|....(....*..0../.........(....}.......}......|......(...+..|....(....*..0..7.........(....}.......}.......}......|......(...+..|....(....*6..(...+(....*..(....*..(....*..{..........%..#...(.....%..!...(.....(.....(....*.0..e........{......E....8............(....o ......(!...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-FACJA.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):3316968
                                                                                                                                                                                                                          Entropy (8bit):6.532906510598102
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:JIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9Y:6BbBWIgWljGxRB/LLY
                                                                                                                                                                                                                          MD5:0CF454B6ED4D9E46BC40306421E4B800
                                                                                                                                                                                                                          SHA1:9611AA929D35CBD86B87E40B628F60D5177D2411
                                                                                                                                                                                                                          SHA-256:E51721DC0647F4838B1ABC592BD95FD8CB924716E8A64F83D4B947821FA1FA42
                                                                                                                                                                                                                          SHA-512:85262F1BC67A89911640F59A759B476B30CA644BD1A1D9CD3213CC8AAE16D7CC6EA689815F19B146DB1D26F7A75772CEB48E71E27940E3686A83EB2CF7E46048
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....6Q3...@.................................G&1.O.....2..............|2.. ....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-FKERI.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60584
                                                                                                                                                                                                                          Entropy (8bit):6.4260026936119194
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:D0YiwXHy9lkD6vudI9C3dt8dNbm+ESg34o556bYIDwpFGpphsA/FIDbaFLdtlxn+:DxJ8kM9CHJ6bY3zkXX8u4iNa7ogBK/o
                                                                                                                                                                                                                          MD5:550D6E67BB1795B941E91840508BF7F6
                                                                                                                                                                                                                          SHA1:46E22693BDC92F4E8DD8C4C5433D233438A271EF
                                                                                                                                                                                                                          SHA-256:D4B4CEB77A3D429EE21412E5172AAC6E36C553E7D990137F212E5ADD6B9A9336
                                                                                                                                                                                                                          SHA-512:1271BEC8A700AC925B9AC13FDB84FFCCFFA6A1589FA3F9FA1361282C47BB8985A7C8F0335EFDD422E2A708BF2DD46458AEF64B4E2A54B8488F8ED53750337A23
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............r.... ........... ....................... ............`................................. ...O........................*..............8............................................ ............... ..H............text...x.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B................T.......H.......T0..4.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*>.(....o4......*>.(....o4......*>.(....o2......*>.(....o2......*>.(....o2......*v.(....-..(....,..(....+..+..*..{....*"..}....*6..s....}....*..0............(......,...(k.....*....0..4.......s......(....}......}......}......}.....|......(...+*.0..Y.........(....o....r...p(....(c....(f....(g.....(......,&.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-G1K0R.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):61608
                                                                                                                                                                                                                          Entropy (8bit):6.287396747644481
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:SmOGveifSTtyXEQ3nPGLb4PFvSMJCD2j+/IfHq1wJd9P581Icm/DskdFPYi3K/Ye:yLTtyXEQ3+bO6U+QlrPi1QLsgFP73K/h
                                                                                                                                                                                                                          MD5:A760AEACBE049C8C0D5DD66DD9EAA7A0
                                                                                                                                                                                                                          SHA1:975896722F2D5A365621EE407ACE3E3294CFC1C3
                                                                                                                                                                                                                          SHA-256:C3618538771839CBC6A855E41A1664D5B86313070FC75CA1B58EF74D007DBDE4
                                                                                                                                                                                                                          SHA-512:64CF42CF493686A4286320819D10A37CC075088509866E867A341651B7762FFD88750417E3AD72E6FA78908DD17C66363752E5AA2955066BA4930889D36AE3CA
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....b..........." ..0.................. ........... ....................... .......L....`.....................................O.......0................*..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...0...........................@..@.reloc..............................@..B........................H.......@@..<...........|.................................................(....*..(....*..(....*.......*Z~....,.*.oB...&......*.......*b~....-.r...ps....z~....*.(#...o8...*.0..........(#......o9.....(....Q*6.(.....(%...*.0..........(#........o:.....(....Q*R.(.......(....('...*:(#......o?...*N.(.....(.....()...*2(#....o;...*2(#....o<...*..o....*..o....*2(#....o=...*2(#....o>...*6(#.....o....*...0..........s"......}"....{"...-...+....#...s.......(1...*6(#.....o....*6..(....(3..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-G27S6.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):30888
                                                                                                                                                                                                                          Entropy (8bit):6.550270680442998
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:RzfFYXOvijvSGpUprWHEvgr0KnB4C7GrhIYiRSk0FP27NBY3Yuv+U:RxyOg9bxr9qaGKYi8K/Y/+U
                                                                                                                                                                                                                          MD5:96D7E9527C5D8BDBA798F72B5FD9B94A
                                                                                                                                                                                                                          SHA1:C9CE9813C74493084D6E3DDA37C35C8822CA381F
                                                                                                                                                                                                                          SHA-256:6942DC9FDBB229D066BA3E1844883B9DA3EAE21F7035FFF2674C3F19C6331B55
                                                                                                                                                                                                                          SHA-512:BE88433F513C4D9F58BDDFED57427DEC12BA0490E2D7C79176144732FBB7969956FA55B03E462C50EA3508389B3C29BC5A559F4B6002C6022C93D059C65B5C44
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...f6............" ..0..F...........e... ........... ....................................`..................................e..O....................N...*...........d..8............................................ ............... ..H............text....E... ...F.................. ..`.rsrc................H..............@..@.reloc...............L..............@..B................be......H.......\4..$0............................................................(....*..{....*"..}....*..{....*"..}....*V.(......(......(....*.0..7.........(....}.......}.......}......|......(...+..|....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(......(......(......(.......(....*.0..?.........(....}3......}4......}5......}2.....|3.....(...+..|3...(....*..0..7.........(....}#......}$......}".....|#.....(...+..|#...(....*..0..?.........(....}.......}

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-H78VV.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):19112
                                                                                                                                                                                                                          Entropy (8bit):6.821071301483957
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:LVVVVVwhr+vtlzIYilpm0FP27NBY3Yuv+Z:LVVVVVwhKvtl8YijnK/Y/+Z
                                                                                                                                                                                                                          MD5:64E2269D156CA2AA5704E2E0908506F9
                                                                                                                                                                                                                          SHA1:0F7D6EECE52D8A9A91E389736BE1092739AA3014
                                                                                                                                                                                                                          SHA-256:B012720952E3FE9CB303E9EDB4314F924CB388D9C24FB63A968A3479113B665D
                                                                                                                                                                                                                          SHA-512:C845E7EB96ED29C564C28D42F07F5EB81C27568F0F89C343533384BF8E704B99566EA073E46259D9F3740A7A3D41AAB5BFA78AEAB05697100B3A179F5C1EDFB6
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....c............" ..0..............6... ...@....... ..............................hj....`.................................16..O....@............... ...*...`......t5..8............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................e6......H.......("..L............................................................~....*.......*..s....*..s....*..0..B.......(....,.*s....(....(....(....(....(....(.....(....(....(.....(....*..(...+*F.(...+(...+(...+*F.(...+(...+(...+*F.(...+(...+(...+*.0..f........(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+(...+*..(...+*...0...........-..*....8.......%o.....%o.....o........E........ ...>...+X..(....-...(....+....(......+:..(....-...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-HFT6T.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:MS Windows icon resource - 3 icons, 16x16, 32 bits/pixel, 32x32, 32 bits/pixel
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):15086
                                                                                                                                                                                                                          Entropy (8bit):3.1108966039740653
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:96:FajQ4xW97nzsbzW+0eTODzfHvt0K/UrPdlMoi5U:FTd7nzsbyyqvt1/URiby
                                                                                                                                                                                                                          MD5:BC1059DA39659B80A09C994AE6DB5DB7
                                                                                                                                                                                                                          SHA1:D7E9D74133C98F897B94C42F09B93F10E3274EDB
                                                                                                                                                                                                                          SHA-256:9543C96124919AE5B672FD7C23CCF5946A37FBB83A174112A33DA9FF37449B43
                                                                                                                                                                                                                          SHA-512:F88CD2EC86E52EF31C471E580A9733D7DAAA7E3062C7DBCAAF9E50308934A4B679B364A4C1372D9021D9F5A504D5C310B8F631799AFA3248878B4F55A6CB704B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:............ .h...6... .... .........00.... ..%..F...(....... ..... .....@...................................2..A!...........................................................3..#.... ..-...................................................................m....................................................`.............. ................................................... ..]...............G........................................................ ...!...&...,{..........................7...................!...!... ... ......U....................U...+.../...,...'.......................,..7....................4..7(...)...-...4...@...>...2...........N.......................*..M&...*.......0...7...Y...j...r...?..i............................(..M...............................................................`...!..}..............._................................................0..!"..............5.......................................................I......................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-HLUIP.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):31912
                                                                                                                                                                                                                          Entropy (8bit):6.377831305172757
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:i4sSUSsK/Py54Iu67VMam4AX10KIUt0kYcT/EDYZGSPeyc8cHIlkLi7FIYihZM09:izNK/G4IfVswkYLy5L7yYihrK/Y/+mT
                                                                                                                                                                                                                          MD5:CE66CBCDA6D3B5047691C4AFF63CFE79
                                                                                                                                                                                                                          SHA1:358E3A2284798BE1C537756A41721B61643D2BEE
                                                                                                                                                                                                                          SHA-256:B8551ECBE96BB718BAA56E053589A7F16561BFDAB86575441EC5FBE528B32B8C
                                                                                                                                                                                                                          SHA-512:7BC26EDD1C018553B163B75250B5862D26B607C26BDBFB6934F0AC5CE20B04D1956EEAF3915CBCE2129CD992ECA6E1B1C311991427D485CB43969A05431270E4
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...r.C..........." ..0..J..........~h... ........... ..............................wt....`.................................*h..O....................R...*...........g..8............................................ ............... ..H............text....H... ...J.................. ..`.rsrc................L..............@..@.reloc...............P..............@..B................^h......H........1...5............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*&..(.....*...0...........s.......o.....+X..(.........(....o....o....&..(.........,!..r...po....&...(....o....o....&..r...po....&...(....-...........o ......o....o!.....+...*...........et.......0...........s"...%r...p.o#....%r...pr#..po#....%r+..prA..po#....%r]..p.($...o%...o#....%ro..p.($...o&............o....o'...o#....%r...p.($...o(....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-HV7DI.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):149896
                                                                                                                                                                                                                          Entropy (8bit):6.136390335470081
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:PcRKLBm0ELV6Ra+eKBL24YzRk2XDuzEdnp+4WSspmfxPapkwN5RGV5xz/OEYW58R:qI0KRHeKBszRk2aApjsp7pBtZGh9
                                                                                                                                                                                                                          MD5:70B1C15FDBBFB88F91965DC7BBC5527F
                                                                                                                                                                                                                          SHA1:A473571DAC42819933CD7EF0C604F1EA0614D2F3
                                                                                                                                                                                                                          SHA-256:109878A7A6F6BD13637B7E3A2EBC22D37423716ECD4E954CC09BACB84B92F62B
                                                                                                                                                                                                                          SHA-512:C496EE2DDF6C401E9E48FB6D739C44200EBFE36B516E7608CECB3E32FEB620CE1531CC5DE26B1A4CD033C65FD002D6B6315B746CFB8B4D047A2954F6F33CA0A4
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...5A............" ..0..............;... ...@....... ..............................Ri....`.................................N;..O....@...............&...#...`......X:..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................;......H.......h....Y..........H'.......9........................................(...+*.~....*.~....*.~....*..%-.&(....*..%-.&~ ...*....0..........(!......o"......(7.......*...................0..........(!......o...+...(...+....*....................~$...%-.&~%.....&...s'...%.$....(...+*.0..D.............,:......o(.....,......o(....3.........o)....(....+.....(...+.*.0..9.......s*......}+.....},.....}-................s/... ....(B...&*....0..$........,...r...p......%.....o~......o0...*

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-INOQ4.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):124072
                                                                                                                                                                                                                          Entropy (8bit):6.169344446608534
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:LurAkSCDvkOtt+niUnQY8/LFEMnK8VQW5K/7:LJkSCDv+iUnQXLFEEM/7
                                                                                                                                                                                                                          MD5:2DC3102392DAEF9B935CDF4939A9B132
                                                                                                                                                                                                                          SHA1:F56261CE19BFC14F8317C2AA05F010E9ACFBCE02
                                                                                                                                                                                                                          SHA-256:B6D9088505C220F23132D78675004BC31E0FB5C04257357C2B02072EF8C28DAD
                                                                                                                                                                                                                          SHA-512:596AFAA1347CF730D2D0312857366EE3AD4C5C439E2F93BD6D38B29129C7B3530523B206FAEEF1DB3F6D9A18482162FF56321C9F1A1FA4F296F6B29AE8659321
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...q............" ..0.................. ........... ....................... ......Q.....`.....................................O........................*..............8............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......d................................................................0...........s....%r...pr...po....%rk..pru..po....%r...pr...po....}......(....(...+o.....(...+o.......o....r!..p.o....(....}......o....}......o....}......o....}.....(....r%..p( ...-..(....re..p( ...,...}....*..}....*..{....*..{....*..{....*..{....*..{....*J.......s!...s:...*.~....%-.&~..........s!...%.....s:...*J.......s"...s#...*J.......s!...s:...*..0..........(...+o$.....E........9...^...*.r...pr...pr..

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-IPV6B.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1112
                                                                                                                                                                                                                          Entropy (8bit):5.030466366630491
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:JdArztW1oF7Nv+IcvH2/+GVTcvH2/+GVhOXrRH2/d9y:3Arzcq7h+Iag+GMg+G27Rgdw
                                                                                                                                                                                                                          MD5:B94AE93769D64791440B3C36CC82AC69
                                                                                                                                                                                                                          SHA1:E4AAAD9A0FB51051C8B25F768BC1563543F132C0
                                                                                                                                                                                                                          SHA-256:432BFD182828A531147812566CB3439702A243BB7A4C45CC816192F9CB91D4A5
                                                                                                                                                                                                                          SHA-512:AD978C59980C0194357D5070D53EA77C334493D14593C141B9DBEEF835FC688FD90C99236D687F50860FA7F4FD4125650E432A61EDF7917C77E4EE4E5E3D4E66
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.8" />.. </startup>.. <runtime>.. <legacyCorruptedStateExceptionsPolicy enabled="true" />.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.Expression.Interactions" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.5.0.0" newVersion="4.5.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Windows.Interactivity" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.5.0.0" newVersion="4.5.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-K8EEM.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):116872
                                                                                                                                                                                                                          Entropy (8bit):6.726218253535254
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:8tw0r3S8FpUCSBCLiXdb0NphY3kWlon6ZhPn8agN6K/p:8mWi8FpCBCLybQakA/Pn8agNj/p
                                                                                                                                                                                                                          MD5:B9F4D43230B7FB66B95AF05DC03B32DE
                                                                                                                                                                                                                          SHA1:56F868C56FFF836CA61055499988F965DCA37D26
                                                                                                                                                                                                                          SHA-256:A103634B16841E3A68DD4A6BCBDFC3A1651B8C9F1114D99BF01CA31297664E21
                                                                                                                                                                                                                          SHA-512:50EB5DE7D0A1B5D7E1AC38209488635EF77733C2C78DC39D0D473904128DBFC67D4E3EC388D2C2D79645AFDF03FD1965386F6E6D21553C9A6DAB07A58549FD1E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........V.n.7.=.7.=.7.=.S.<.7.=.S.<o7.=.S.<.7.=._.<.7.=._.<.7.=._.<.7.=.S.<.7.=.7.=.7.=._.<.7.=._.<.7.=._3=.7.=._.<.7.=Rich.7.=........................PE..L...q._]...........!................O........0............................................@.............................T.......<.......................................p...............................@............0...............................text............................... ..`.rdata..4g...0...h..................@..@.data...4...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-L76N9.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):49320
                                                                                                                                                                                                                          Entropy (8bit):6.325351798150663
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:Qmbo2ICFobV6wsLIcUIh/61jCouvi1Ys7ZYiG6K/Y/+Z:QmbrbU6ws0cGjCoei1Ys7Z7G6K/P
                                                                                                                                                                                                                          MD5:C22900453EF4B917460ADEA7DE87225B
                                                                                                                                                                                                                          SHA1:6878237656DA68C046FB95FAA8CAF3B4C719851B
                                                                                                                                                                                                                          SHA-256:9AF8C8105093B7D62FC578DAE3497FF0AD796C9ABD638EB14269DED4270DFF96
                                                                                                                                                                                                                          SHA-512:2E7D0EB99E2924FB375AAF8891968228193C65C133E362F66567C044E8B744ABC3A992EF7606644690D1BB81AD13A64A35D8107BDBDD9D5942BEA1DD1074EA3C
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ....................................`.................................p...O.......,................*..............T............................................ ............... ..H............text....... ...................... ..`.rsrc...,...........................@..@.reloc..............................@..B........................H........L...\............................................................{"...*..{#...*V.($.....}".....}#...*...0..A........u........4.,/(%....{"....{"...o&...,.('....{#....{#...o(...*.*.*. ?Y.. )UU.Z(%....{"...o)...X )UU.Z('....{#...o*...X*...0..b........r...p......%..{"......%q.........-.&.+.......o+....%..{#......%q.........-.&.+.......o+....(,...*..{-...*..{....*V.($.....}-.....}....*.0..A........u........4.,/(%....{-....{-...o&...,.('....{.....{....o(...*.*.*. (... )UU.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-L7KIN.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):18088
                                                                                                                                                                                                                          Entropy (8bit):6.784018634948529
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:4iqjQN+Pw2X6VUYNVYuKAiIYiUOX0FP27NBY3Yuv+WO:fqjQ8f5uKAvYidgK/Y/+X
                                                                                                                                                                                                                          MD5:CD6CB12E677F6C45BBFE57DED6C90567
                                                                                                                                                                                                                          SHA1:C13525F597974BA46B4B2A71F270B1056332F77B
                                                                                                                                                                                                                          SHA-256:FA0E1B932B5548F39795B9C24106B48D6221600EA7679D6A1D1DEEED1C8D7D8C
                                                                                                                                                                                                                          SHA-512:6D9DC73035F3C053281C9347131C8EF232797507F28271B60428FCA4A82CC43689BF1FA3E6DCE46AE92BC3C0E924745F81E315D2E4D4BD2F5D7991DC78A58FBD
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X4y..........." ..0.............n3... ...@....... ....................................`..................................3..O....@..H................*...`.......2..8............................................ ............... ..H............text...t.... ...................... ..`.rsrc...H....@......................@..@.reloc.......`......................@..B................N3......H........#................................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(........%-.&r...ps....z(.......(.....*.0..................,..rM..ps....z.(.........,...(....o.......(.......(.....s....o.........(....(......(....o......(....o........&..(.....r...ps....o........*..........tu.......0..B..........(....%-.&+.o.......*&..(.....(....%-.&.+.(......s....o........*.............*.....0..B..........(....%-.&+.o ......*&..(.....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-MSFM2.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):711952
                                                                                                                                                                                                                          Entropy (8bit):5.967185619483575
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:GBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUO:GBjk38WuBcAbwoA/BkjSHXP36RMG/
                                                                                                                                                                                                                          MD5:195FFB7167DB3219B217C4FD439EEDD6
                                                                                                                                                                                                                          SHA1:1E76E6099570EDE620B76ED47CF8D03A936D49F8
                                                                                                                                                                                                                          SHA-256:E1E27AF7B07EEEDF5CE71A9255F0422816A6FC5849A483C6714E1B472044FA9D
                                                                                                                                                                                                                          SHA-512:56EB7F070929B239642DAB729537DDE2C2287BDB852AD9E80B5358C74B14BC2B2DDED910D0E3B6304EA27EB587E5F19DB0A92E1CBAE6A70FB20B4EF05057E4AC
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O......................../.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-MVU9I.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):22696
                                                                                                                                                                                                                          Entropy (8bit):6.669675167195394
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:PICREYcfpyXOT9Z7a6WmYWXWIYiAh70FP27NBY3Yuv+9gfK:PIiE9QXM1xYioMK/Y/+9gi
                                                                                                                                                                                                                          MD5:657A48C8DA3DE14059498E383EBEF318
                                                                                                                                                                                                                          SHA1:ECCC9AB4E6804EB0581AC5BBD684B7DB5A13F028
                                                                                                                                                                                                                          SHA-256:201EC78B195DCE51330985026A8A4EC641F9ACE53429C5C2F5BB3F1CE7BEEC4A
                                                                                                                                                                                                                          SHA-512:C4F2410470BBEA5680958490B705C828254992441D27E5FB7837957583FDA8D639EA8D9EF00035DB63ABACF28C5E4560D642C1D19F144255908C44F5C37CE8DE
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....oY.........." ..0..$..........:C... ...`....... ....................................@..................................B..O....`...................*...........A............................................... ............... ..H............text...@#... ...$.................. ..`.rsrc........`.......&..............@..@.reloc...............,..............@..B.................C......H.......h'..p............?..X...0A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..(....*R. ...(...+%-.&("...*^. ...(#....(...+&~ ...*.s%...*"..s&...*..('...*.*....0........................((

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-NVD5U.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1192
                                                                                                                                                                                                                          Entropy (8bit):5.059106104983516
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:JduPF7NV+TkH2/17zVVXBOH2/17zVQ7uH2/XVUrPH2/+C9y:327Gwg1BOg1SagXSg+Cw
                                                                                                                                                                                                                          MD5:66373624F8B60F41B8FEC0E61779C0AC
                                                                                                                                                                                                                          SHA1:0D3BE3C009F0A2260F89C3FBC9FFEBA0061C17F2
                                                                                                                                                                                                                          SHA-256:FE0A5830D875B8BD0864BF4F85705D4F2E3D7A575C07B2B5A18041558DBA1386
                                                                                                                                                                                                                          SHA-512:74F084B2697F936122E371042FEF5740BF205914B3FA276F8F7C72561680BF2C39A7DD2970BDEDF36AACC20970CD9552A719211F30090881E498815D91C6CDD0
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.core" publicKeyToken="1488e028ca7ab535" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="SQLitePCLRaw.batteries_v2" publicKeyToken="8226ea5df37bcae9" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.1.6.2060" newVersion="2.1.6.2060" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-6.0.0.0" newVersion="6.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffc

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-Q3SSJ.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):25976
                                                                                                                                                                                                                          Entropy (8bit):6.331152456306087
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:Z90ljCvGQJ+GlfmER/asDZ0WN1L4meT6pmOW2ZZWeQMWMLHRN7S37EHR9zCt+:Z9EIGk+GlfmERxcFz2ZSCL+7Ex9zS+
                                                                                                                                                                                                                          MD5:3C5DFBB4E3F1AD153EB2E203B56EA0AE
                                                                                                                                                                                                                          SHA1:59623BF1D67D87264C165E421F12426DA998AF46
                                                                                                                                                                                                                          SHA-256:9E8252429D0E6529B87A2C79A13119F4DF56ABE924949F3750B024C51D747378
                                                                                                                                                                                                                          SHA-512:94DF20E98A2E5D7AC93B63EFEBCE4DAAFBF25AB6B4A2B76AF0BB46D9EDE102AC8C8E1147D5813CDB879AADD5A8AA4073FD0E6066286AF4EF4D368FAB983BE3B5
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....w............" ..0..4...........S... ...`....... ....................................`..................................S..O....`...............>..x'..........XR..T............................................ ............... ..H............text....3... ...4.................. ..`.rsrc........`.......6..............@..@.reloc...............<..............@..B.................S......H.......l,..l%...................Q........................................(....*.0..H.........~....,...~....*~..........(......~....%-.&s....%...........,..(......*........#<.......0..%.......~..........(...............,..(.....*....................0..........~..........(....(....o....(...+....,..(......*...........".......0..0.......~..........(....(.....o.....(...+....,..(......*.........$.......0..).......~..........(....(......o.......,..(.....*....................0..b...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-QRV6K.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):25768
                                                                                                                                                                                                                          Entropy (8bit):6.623350319992477
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:21Vrp7wobZBVBhB3GmLiVWgktWe9JHEDIYirwt0FP27NBY3Yuv+1WyT1g:21VV7TbXX72MtWQJHEsYi/K/Y/+1Wy5g
                                                                                                                                                                                                                          MD5:D92BF2C8E0A192E18B1F0B24CCB75171
                                                                                                                                                                                                                          SHA1:2A6343C3409172E1D426B763151E0CBA3B35E473
                                                                                                                                                                                                                          SHA-256:BEED084878EACA4A745A53CC21FAAD1A76F4F82C955BB507496B5B9F23032F1C
                                                                                                                                                                                                                          SHA-512:71AD4963BCEBE516FD9EE526F2DD1ECB13F10E1424D0D3CED08A19A38D902DA562C9B1D0E308C4B898E30187773F040CF6A437210EFEF52B957623F798E59459
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R.s..........." ..0..2..........:Q... ...`....... ..............................I/....`..................................P..O....`...............:...*..........,P..8............................................ ............... ..H............text...@1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............8..............@..B.................Q......H.......`(...'...........................................................0..M........r...p}.....r...p}.....(......{..... (....(....(......{..... (....(....(....*^~....-.s.........~....*..{....*"..}....*..{....*"..}....*..0..8........(........(.....(.....o....r...p(....o.......&..r...p*.*........--.......0..(.......(.....o........(.....(.......&..r...p*.*.................0..X........o.....[.&......+9...Z.o.... ....(........Z.X.o.... ....(......b`.......X...o.....[2..*.0..V...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-QT2D6.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):35496
                                                                                                                                                                                                                          Entropy (8bit):6.3704146545353355
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:yS78zRHlzbzaxUxU7y7y7y7S7CxUxU7y3K7yTyTTN77xNTOLSxY777DKoRREEK79:yS7DOOqf1RuhC5w78K/m
                                                                                                                                                                                                                          MD5:26592109F19A24EE91F039EBB40038C4
                                                                                                                                                                                                                          SHA1:C8846404EFEB44C6CBB242B4C107F7CCE865AD14
                                                                                                                                                                                                                          SHA-256:E3F74128991C128410498223D4185915528360AD3DA92CD01BC23B19D8C2C670
                                                                                                                                                                                                                          SHA-512:8B031C53F5529D50A80AE2A4803D7C34F9A71A54DA01A912D1DB4D77D9BC1F490AB634A32F2DF6009EB53A2E57CD21975F3E00AF111BFA8320DE550A17509CA1
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...>............." ..0..X...........v... ........... ...............................S....`..................................v..O....................`...*...........v..8............................................ ............... ..H............text....W... ...X.................. ..`.rsrc................Z..............@..@.reloc...............^..............@..B.................v......H........3...B...........................................................0.................(n...........................s)...}................s%...}................s....}................s....}................s....}................s....} ...............s!...}!...............s....}"...............s....}#...............s=...}$...............s9...}%...............s5...}&...............sA...}'...............sE...}(...............s-...})...............s1...}*........(....(....(....

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-T0PEK.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):88192
                                                                                                                                                                                                                          Entropy (8bit):6.25584016939133
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:0kUuBN7CjSkp9oa++t1BVryVKXDORdDeCNia6Lj4Fu/qSGnJdo0Wzs:ju/t/VryVKXeDezVLj4F/JdWQ
                                                                                                                                                                                                                          MD5:4186A905DC180A0CC2110403727BD792
                                                                                                                                                                                                                          SHA1:E0563D20CA7E95688A60F4BFC1AB0127EAE1F651
                                                                                                                                                                                                                          SHA-256:40DCB80A87A762745D0A15294B5CA7783A9EAD1D93AD352D25B5EDAF4994651E
                                                                                                                                                                                                                          SHA-512:1C3459232B41C531F01BCCE54E46799F2FB3FCD6C87D7F908C633ABCC718D9726D98E65F964B1A870D416A38F545971779054FE65F7C1299905FC7DC24FA2DEC
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..&..........>E... ...`....... ....................................`..................................D..O....`...............0...(...........C..T............................................ ............... ..H............text...D%... ...&.................. ..`.rsrc........`.......(..............@..@.reloc..............................@..B.................E......H........l..@...........02..0...`C........................................(....*..(....*^.(.......k...%...}....*:.(......}....*:.(......}....*:.(......}....*:.(......}....*.~....*..0..........(....,..*..(.....o ......&...*...................0...........(.......(!...-..,..*.*.(....,.r...p......%...%...("...*..(#...*.(....,.r...p......%...%...%...("...*...($...*.(....,!r...p......%...%...%...%...("...*....(%...*..,&(....,..r...pr...p.("...(&...*..('...*.*.(....,.r...p......%...

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-TM4NE.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):159368
                                                                                                                                                                                                                          Entropy (8bit):6.32384599449582
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:OcqXDYZbIkCKezJaoCNVljUmcmAs6Jm4AFt2iPaTatnhrOKK/E:9qbKwcB4njeXBSTcpOT/E
                                                                                                                                                                                                                          MD5:7AE17C855F3CC63174E90EA527B6138B
                                                                                                                                                                                                                          SHA1:0FE1E1B2252511F33EDA3FFCF1F8FC8586AB040A
                                                                                                                                                                                                                          SHA-256:26FF04208EC4D26EF4DDD9B3CF01C4D2A1544550BCD59EFDE6F30170053A1170
                                                                                                                                                                                                                          SHA-512:453BA41332A704F491FC9E1EE5FBE9F883EDDB4C26A71D207C93992726E9C5B7FEDC48EEEE2A2087F64B083F9473EE794FB2C8F3B77C9DBCBBC47B67816BD156
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y..............Y.......................................................................Rich....................PE..L.....[...........!.........................................................`..................................................P.... ..`............@.......0..(...0...............................0...@............................................text....w.......................... ..`.rdata...A.......P..................@..@.data....6....... ..................@....rsrc...`.... ......................@..@.reloc..2(...0...0..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-UCN4E.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):354984
                                                                                                                                                                                                                          Entropy (8bit):6.846739611307464
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:jbz6pzdD/rIJXiQTutgCNktQFvmnoxXTS4ubCjrKglegtKop/4:G9FrIJJaqCNktA+SXfUCP9lvtKop/4
                                                                                                                                                                                                                          MD5:D822226C4B35A7305269C8E16E542D3E
                                                                                                                                                                                                                          SHA1:12F92D16608AAC1C39DDC92BA2B5AB8B5AAE6C30
                                                                                                                                                                                                                          SHA-256:FC504A3F68150AFC8C3304E5528867BF99EDDE0F3707406A30371062DDD86A0E
                                                                                                                                                                                                                          SHA-512:3A3A18D96716BD1033C35B06B73674FF6CBBEBE8F5025D0BE260F649FB268745290139B6501B9E208EB43EC5D76C2ABBA0A34C1E2F7E0E9F25E14C41F54E3914
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....I}f.........."...0......D......6.... ... ....@.. ..............................o.....`.....................................O.... ..tA...........@...*........................................................... ............... ..H............text...<.... ...................... ..`.rsrc...tA... ...B..................@..@.reloc...............>..............@..B........................H........'... ...........G...............................................~....*.......*..,!.(...+.1..(...+(....-..(...+(....s....%o....%.o....o....&*....0..5........r...p.s....(.....{....,.*..}....r!..p.s.......(....*"..}....*..(....*.rY..p.....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...0............j(......j(.....(....,#.(....o....,..(....o ....(....o!.....(......&...s"...(.....(

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-VFKAQ.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):432
                                                                                                                                                                                                                          Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                          MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                          SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                          SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                          SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-VG3QN.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):143528
                                                                                                                                                                                                                          Entropy (8bit):6.164743567434074
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:oxi8ae06y7Q0kSutmvEmFk0pBa/+h8k/6kY2F8xB0dhqABtx5yoG9Qd7n8K/m:Q0vDkSutmhFpYqtDqAhjMQdYK/m
                                                                                                                                                                                                                          MD5:24DF113016A58EB1D14691CFE947C2C8
                                                                                                                                                                                                                          SHA1:E32B2388C9BCB8BD3EEA1A87626B562A06F5E2F9
                                                                                                                                                                                                                          SHA-256:4DE9980CF1D3B45FC14F69EA4DFF6F456389C5E817344D44D6FA7C1A3276AFB5
                                                                                                                                                                                                                          SHA-512:10DD82391CF51885533A5F9F859D7E79A9016F6E6A24C0A04C9BE08EA4C5A951D73AF467EC89BAB191DAC4B37D51B0C0AB247A24CD05478AD6101A44E9FC0D48
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...U..\.........." ..0.............b.... ... ....... .......................`......q[....@.....................................O.... ..8................*...@..........8............................................ ............... ..H............text...8.... ...................... ..`.rsrc...8.... ......................@..@.reloc.......@......................@..B................C.......H........,..L...........,.................................................((...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....()...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o*....{....(a...*..(....zN........o+...s,...*.(....z.s-...*..(....zF(U....(O...s....*.(....z.(V...s....*.(....z.s/...*.(....z.s0...*..(....zN........o+...s1...*.(....zrr...p(\....c.M...(O...s2...*.(....zBr...p(Y...s2...*.(....z.s3...*.(....z.(X...s4...*.(!...z.(_...s4...*.(#...z

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\is-VPRG9.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):41128
                                                                                                                                                                                                                          Entropy (8bit):6.4006875255426365
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:dQq+jQ+JutCjyVmF8Wq8sBP3/7lpKaDBuz3bzrzlJBOKipq8pdwYv4qzsYiCtVK9:gVutFQF873t3/77KaDBuz3bzrBJBOKig
                                                                                                                                                                                                                          MD5:FDF4712500755002CD0FFD2F7BEA8C2A
                                                                                                                                                                                                                          SHA1:372F4D6F2F19A5DF96FCDEF566AE4761F7AFF2B5
                                                                                                                                                                                                                          SHA-256:D61A675E7D11A6DDF12E4CEBCABFD7BAAA24B86AD7B751BE19788E7A8A5ABE39
                                                                                                                                                                                                                          SHA-512:6484349215D1347FB3D77E6598AF740045AC416EE06370B8D89E91ECBA930E5AFFCE6F4840CE4ECD2214960E1884CCBE49710E5B5C1FEBE0C96F88A099AE2E4E
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....z:..........." ..0..n..........&.... ........... ....................................`....................................O.......h............v...*..........@...8............................................ ............... ..H............text...,m... ...n.................. ..`.rsrc...h............p..............@..@.reloc...............t..............@..B........................H........6..PU............................................................{....*"..}....*..{....*"..}....*..~....}......s....}.....(........(.............s*...}....*....0..................,5...(A.....(.........,..~.....(.....s....o.......8..............0....B+......8..... . ...G+.. . ..;....8....~.....(.....s....o.....8....~.....(.....s....o.....+s.o.....~.....(....s....o......(....o ...r...p(!.......,...(.......{.....{....o"....(6...&+...(......s#...(.....+.+..*..0..F.......

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\nfapi.dll (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):159368
                                                                                                                                                                                                                          Entropy (8bit):6.32384599449582
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:OcqXDYZbIkCKezJaoCNVljUmcmAs6Jm4AFt2iPaTatnhrOKK/E:9qbKwcB4njeXBSTcpOT/E
                                                                                                                                                                                                                          MD5:7AE17C855F3CC63174E90EA527B6138B
                                                                                                                                                                                                                          SHA1:0FE1E1B2252511F33EDA3FFCF1F8FC8586AB040A
                                                                                                                                                                                                                          SHA-256:26FF04208EC4D26EF4DDD9B3CF01C4D2A1544550BCD59EFDE6F30170053A1170
                                                                                                                                                                                                                          SHA-512:453BA41332A704F491FC9E1EE5FBE9F883EDDB4C26A71D207C93992726E9C5B7FEDC48EEEE2A2087F64B083F9473EE794FB2C8F3B77C9DBCBBC47B67816BD156
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y..............Y.......................................................................Rich....................PE..L.....[...........!.........................................................`..................................................P.... ..`............@.......0..(...0...............................0...@............................................text....w.......................... ..`.rdata...A.......P..................@..@.data....6....... ..................@....rsrc...`.... ......................@..@.reloc..2(...0...0..................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\subinacl.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):301224
                                                                                                                                                                                                                          Entropy (8bit):5.823114295644
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:I856+Aq4WBT5TjbyfQ5d2ap3BES3l+3p7z8p5+cyIqrKMjE3g2AJX5ex4uyj0bOa:v56+Aq4WBTWpSqXhpeEioU2Uh/b
                                                                                                                                                                                                                          MD5:4798226EE22C513302EE57D3AA94398B
                                                                                                                                                                                                                          SHA1:F42C6CFA4068263D955608DE47E60D099AD8B394
                                                                                                                                                                                                                          SHA-256:38F32C75433A2AF902D33511BC3BBBE5BBF66D87FEC7D3AD1694AECEEB7E485E
                                                                                                                                                                                                                          SHA-512:94BB5E38CBCDC1E40BBD3AB14A3C92C8C90F64EA1910108BB2DE80E00BEA358A13A063031B5E3417A55102DB238488F5C3E766A1AF3ACEDB8806FEC5DD81990C
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........._.Y.1.Y.1.Y.1..l.[.1...>.].1.[.5.[.1.9.|.X.1...l.D.1.Y.0.p.1...n.V.1...Q.M.1...o.X.1...k.X.1.RichY.1.........PE..L...[..@.................J...................`...............................P................... ...........................=..T....@...............n...*..............................................@............................................text....I.......J.................. ..`.data...L....`.......N..............@....rsrc........@.......^..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\unins000.dat

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:InnoSetup Log 64-bit FastestVPN, version 0x418, 28615 bytes, 116938\37\user\37, C:\Program Files\FastestVPN\376\377\377\00
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):28615
                                                                                                                                                                                                                          Entropy (8bit):3.445776331023834
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:vBghCardZ7epOa8A9fINlxeiyMzW1VSgOf2KGPUO6awr00Ha:lAbexDwQ600Ha
                                                                                                                                                                                                                          MD5:722E3A8F727CCC6BA457640F54D42137
                                                                                                                                                                                                                          SHA1:3A3B4330BC29D8830C8C2F89B43556442A7ED55D
                                                                                                                                                                                                                          SHA-256:376419235598317144194931A474DE52C2AAE04DB5A413AA4622D8883EE4E757
                                                                                                                                                                                                                          SHA-512:C457A1ECE71A3FFF0E4085F765C562F8A84A4AA1309B47F03028A8D86FCAF0D00CFEB0F190CC15E62C98CBCB25575E7E573277D6CA28CAB3C97D07AB39A40350
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:Inno Setup Uninstall Log (b) 64-bit.............................FastestVPN......................................................................................................................FastestVPN...............................................................................................................................o...................................................................................................................2..........>.|......s........1.1.6.9.3.8......a.l.f.o.n.s......C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N................+.*.... ........................C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N......C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.W.i.n.d.o.w.s.\.S.t.a.r.t. .M.e.n.u.\.P.r.o.g.r.a.m.s.\.F.a.s.t.e.s.t.V.P.N......F.a.s.t.e.s.t.V.P.N......e.n........................."...<........C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.................C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.\.B.o.u.n.

                                                                                                                                                                                                                          C:\Program Files\FastestVPN\unins000.exe (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):3070013
                                                                                                                                                                                                                          Entropy (8bit):6.39701754184779
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:BdJYVM+9JtzZWnoS2VC23aun8+f5KuGP+VYNCWNtdH333t7:HJYVM+LtVt3P/KuGP+VYNCuf333V
                                                                                                                                                                                                                          MD5:A2386053A831B1C65F9BB923F4F17A7B
                                                                                                                                                                                                                          SHA1:530BC9411C100138963776A527966EA98D2D1FD9
                                                                                                                                                                                                                          SHA-256:3AE0793AF74140734EC43A261FAD664E5871890F28F9CCC692B68B3D6E1A26E5
                                                                                                                                                                                                                          SHA-512:2E149D81B13101F9C38EE67396A92527AE5BFD8761D8187BAB635C7736B316E31D9A246DC14D934F28EEE4076F9B3FA78751F912D9CFEB6A032470997382D76F
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....gf..................*...........*.......*...@..........................P/...........@......@...................P,.n.....,.j:....,.$....................................................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.rsrc...$.....,.......+.............@..@.............`0......./.............@..@........................................................

                                                                                                                                                                                                                          C:\ProgramData\FastestVPN\ServicePort.txt

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):4
                                                                                                                                                                                                                          Entropy (8bit):1.5
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:kS:kS
                                                                                                                                                                                                                          MD5:3499738F724B2AE08A1871B6A0A7D175
                                                                                                                                                                                                                          SHA1:A1AB9117DC426032D0E013BB62EDF31CD37B1CAF
                                                                                                                                                                                                                          SHA-256:715FCF6424D0AC2F19B5A65364795EBB982885F040E93A1BF4FDD594D9478251
                                                                                                                                                                                                                          SHA-512:3B1F29ADDCC165F7807149B13451ABE9DB7E0258F5A77F5802AEA11672B37CBC3439D4D8EB2AAB81F37B302B6631CD9573D64CF281FE4C9E44C672BF31BFF902
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:9030

                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.chk

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8192
                                                                                                                                                                                                                          Entropy (8bit):0.3588072191296206
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:6xkoaaD0JOCEfMuaaD0JOCEfMKQmDhxkoaaD0JOCEfMuaaD0JOCEfMKQmD:maaD0JcaaD0JwQQ3aaD0JcaaD0JwQQ
                                                                                                                                                                                                                          MD5:663C5D6018506231E334FB3EA962ED1C
                                                                                                                                                                                                                          SHA1:539A4641CE92E57E4ADEE32750A817326E596D4C
                                                                                                                                                                                                                          SHA-256:066CB701C03237D2612AA647E6BF08EF594360F96E433639B0CC9EED7335F1E1
                                                                                                                                                                                                                          SHA-512:5F910653FD1B12B94D314EDEDF6EB2BEC70D369D921EB5B7CF4D199B0374D6C798336E39DBF2781F3B0457280E0DDA63BDF4861DF31C08152544B0F1039D5FCD
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:*.>.................D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@....................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\edb.log

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1310720
                                                                                                                                                                                                                          Entropy (8bit):0.8337230297046395
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:gJhkM9gB0CnCm0CQ0CESJPB9JbJQfvcso0l1T4MfzzTi1FjIIXYvjbglQdmHDugQ:gJjJGtpTq2yv1AuNZRY3diu8iBVqFJk
                                                                                                                                                                                                                          MD5:A75016AA4AB0530684021B00114AF1CB
                                                                                                                                                                                                                          SHA1:3A0E91B920633A7D10B9534C2FE44F7E36EA3B79
                                                                                                                                                                                                                          SHA-256:44059F54E55173FC7DAE7FC63C47518B4E148302F191514C0806BF36D75D086B
                                                                                                                                                                                                                          SHA-512:795FFBF3EC3862E066D80C79E5F93EBBEA4F9962750E7715675BA8C4CD452841349C788A65C346858B3D239036FDAAB90B1E2B4355CA1644C5AE57AC5914D889
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:...M........@..@.-...{5..;...{..........<...D./..;...{..................C:\ProgramData\Microsoft\Network\Downloader\.........................................................................................................................................................................................................................C:\ProgramData\Microsoft\Network\Downloader\..........................................................................................................................................................................................................................0u..................@...@......................4..........E.[.rXrX.#.........`h.................h.5.......3.....X\...;...{..................C.:.\.P.r.o.g.r.a.m.D.a.t.a.\.M.i.c.r.o.s.o.f.t.\.N.e.t.w.o.r.k.\.D.o.w.n.l.o.a.d.e.r.\.q.m.g.r...d.b....................................................................................................................................................................

                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.db

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb2dea1d5, page size 16384, Windows version 10.0
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1310720
                                                                                                                                                                                                                          Entropy (8bit):0.6584108700063899
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:RSB2ESB2SSjlK/AxrO1T1B0CZSJWYkr3g16n2UPkLk+kdbI/0uznv0M1Dn/didMV:Raza6xhzA2U8HDnAPZ4PZf9h/9h
                                                                                                                                                                                                                          MD5:7DBCB1388BF2B86210A848C4277A09C4
                                                                                                                                                                                                                          SHA1:28B72AC717C51D661196C122699676E70A742E26
                                                                                                                                                                                                                          SHA-256:E17D614EE7BB1B94CB7FEDD2A379F6BA8E493AB360AA7D4AC3A6F099D8156850
                                                                                                                                                                                                                          SHA-512:74384F16A3BB21B0EFD7E00B08BF95ED1CA219E0592E2B5F2C057E438981119765404C96214592926986F1239D31183D40A2D3A9BB904B394FE5CCE478E7512C
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:...... ...............X\...;...{......................T.~..........|...,...|..h.|..........|..T.~.........D./..;...{..........................................................................................................eJ......n....@...................................................................................................... ............................................................................................................................................................................................................2...{..........................................|...........................|...........................#......T.~.....................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):16384
                                                                                                                                                                                                                          Entropy (8bit):0.07393580910064754
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:EStlOetYeRQSLilllm9FAwtmBwlllfkC6lllall58Kgvvl/QoeP/ll:/lrzRQSLi/g99UBw/mp/Az8KgR+t
                                                                                                                                                                                                                          MD5:FFC06E90877E2AD2C99AFF2399851648
                                                                                                                                                                                                                          SHA1:2BFD5CBDD7BFC603F4A265C52BA01F9F256B122D
                                                                                                                                                                                                                          SHA-256:C89EAF1F196E608D473FD76579B8AB11C21BA7D44DFA55971121CA5CC3527020
                                                                                                                                                                                                                          SHA-512:22711A17137CAE74119AA15374AABD606D37848DCAAC29C668951853C020484EE88921F1AE886D472A7184FC46C609F4096EBF51C79082F69147CBF658FB330C
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:K.V......................................;...{...,...|.......|...............|.......|...K.......|...........................|..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastestVPN\FastestVPN.lnk

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Oct 3 07:43:42 2024, mtime=Thu Oct 3 07:43:42 2024, atime=Thu Jun 27 19:18:16 2024, length=2059432, window=hide
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1765
                                                                                                                                                                                                                          Entropy (8bit):3.224250372225435
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:80ck9odQE5sDVIcHLAsvd/Z6d/nd/VkIbfd/VKL5m:80c/dn5cTH8svd/Z6d/nd/Vkcd/VE
                                                                                                                                                                                                                          MD5:53A31DC4A62A9DB161FD2D0413B476D5
                                                                                                                                                                                                                          SHA1:B57B0962769A610DDF0C85E2C6DA0BFB11A65B15
                                                                                                                                                                                                                          SHA-256:A97E6990E2CB04A4BCB911FACBF94387778E800C5683F5597847E8DE7E879D88
                                                                                                                                                                                                                          SHA-512:B304075EB206CDD209CD8F34D3B26F1FCFCBEEF18071ECAF7B7F14044F7222708070694E94CAE0702BA165999020A560B6AF4B2C8794BB985DD8F70015153E02
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:L..................F.@.. ......Yp...*..Yp......$.....l...........................P.O. .:i.....+00.../C:\.....................1.....DWWn..PROGRA~1..t......O.IDW#r....B...............J......SX.P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....CYzE..FASTES~1..F......CYvECYzE....*.......................(.F.a.s.t.e.s.t.V.P.N.....j.2..l...XH. .FASTES~1.EXE..N......CYvECYvE....G.........................F.a.s.t.e.s.t.V.P.N...e.x.e.......Y...............-.......X...........!.M\.....C:\Program Files\FastestVPN\FastestVPN.exe..9.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.\.F.a.s.t.e.s.t.V.P.N...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.(.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.\.a.p.p.-.i.c.o.n...i.c.o.........%SystemDrive%\Program Files\FastestVPN\app-icon.ico.....................................................................................................................................

                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\FastestVPN\Uninstall FastestVPN.lnk

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Archive, ctime=Thu Oct 3 07:43:42 2024, mtime=Thu Oct 3 07:43:42 2024, atime=Thu Oct 3 07:43:17 2024, length=3070013, window=hide
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):885
                                                                                                                                                                                                                          Entropy (8bit):4.542564596201997
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:8mVXg20YXn5Dh9/sNkdpF4GrKESKEzDVz07pyOjACDRkbdpBo6bdpBgHthpmV:8mVXj5JdQE5sDVcyyAKwd/o+d/gHLpm
                                                                                                                                                                                                                          MD5:B4F38F4FABC9F44A93ECD19AC82C1BF0
                                                                                                                                                                                                                          SHA1:004C743188F81AB3F245A01BCA3C6D5A447BDC0E
                                                                                                                                                                                                                          SHA-256:562AC4138E85159A552E7379EAA6E43E96031BE7A3F262633C5071CEA3B5D5AD
                                                                                                                                                                                                                          SHA-512:DFD05D0E93D6DF8609D90BDCA2F56E3D404CF9B3F72E23AEA66A662153208A748EEBCAAD270A2C944E5C58D391CC951CD84C25A7F6BA301482A5BE5C7D320916
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:L..................F.... .....Yp....(.Yp....:.Jp...=............................P.O. .:i.....+00.../C:\.....................1.....CYvE..PROGRA~1..t......O.ICYzE....B...............J.....4<..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....CYzE..FASTES~1..F......CYvECYzE....*.......................(.F.a.s.t.e.s.t.V.P.N.....f.2.=...CYiE .unins000.exe..J......CYvECYvE..........................i.v.u.n.i.n.s.0.0.0...e.x.e.......W...............-.......V...........!.M\.....C:\Program Files\FastestVPN\unins000.exe..7.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.\.u.n.i.n.s.0.0.0...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.`.......X.......116938...........hT..CrF.f4... .D.2=.b...,...W..hT..CrF.f4... .D.2=.b...,...W..E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_FastestVPN.Windo_53ebd9cdf731fce6dc6bf88ca253274667038a7_2affa00b_bf4e7ba1-56e6-4409-91c9-adccad6fb2e7\Report.wer

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):65536
                                                                                                                                                                                                                          Entropy (8bit):1.0629379681070301
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:PXTt3qoNa0BU/6aGiJ6OIzuiFwZ24IO8u:fTt3qoLBU/6at9IzuiFwY4IO8u
                                                                                                                                                                                                                          MD5:F2869120B63EBBAF4A65339895A077D2
                                                                                                                                                                                                                          SHA1:FBEBEF254A893A72876EA96A6B532A1D07224D32
                                                                                                                                                                                                                          SHA-256:139C01D2E1E012E4FC0D56DCB0DF6A5712D74289D47929B4EC692665E6A3E833
                                                                                                                                                                                                                          SHA-512:7FF3AB92B3F0D97442047290A6926BFD654D9DEB75499154BB72F09E65FA6626AF5A9870A388595BCE9D15C1F83CBF51BA604CC21107E57DD4FB86D0923879BB
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.4.1.8.6.4.0.2.7.9.1.9.1.7.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.4.1.8.6.4.1.2.1.6.6.9.4.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.f.4.e.7.b.a.1.-.5.6.e.6.-.4.4.0.9.-.9.1.c.9.-.a.d.c.c.a.d.6.f.b.2.e.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.7.e.a.c.f.2.e.-.9.9.8.d.-.4.0.4.9.-.b.a.3.c.-.4.9.2.d.9.8.c.0.f.c.4.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.F.a.s.t.e.s.t.V.P.N...W.i.n.d.o.w.s.S.e.r.v.i.c.e...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.F.a.s.t.e.s.t.V.P.N...W.i.n.d.o.w.s.S.e.r.v.i.c.e...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.5.f.c.-.0.0.0.1.-.0.0.1.4.-.b.5.f.d.-.f.4.6.3.7.0.1.5.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.3.7.5.a.5.b.0.1.c.c.e.6.9.2.0.b.8.4.1.1.a.f.c.e.d.8.6.5.7.1.0.0.0.0.0.0.0.0.0.!.0.0.0.0.a.b.1.8.

                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1517.tmp.dmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                          File Type:Mini DuMP crash report, 15 streams, Thu Oct 3 08:44:00 2024, 0x1205a4 type
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):222337
                                                                                                                                                                                                                          Entropy (8bit):4.060340884151234
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3072:dLo7Af3T7EG+07jEg4uEqtHLTgqZbKKWxTzZMD0cy9:dcUT20t4arTg4TWxs7y
                                                                                                                                                                                                                          MD5:C31F0CDCD35769C0FA030E37CBABB7D4
                                                                                                                                                                                                                          SHA1:E4EA5B4592576FC3594E6ADA4DB902E1BDD8744F
                                                                                                                                                                                                                          SHA-256:13DACAD1FE095112620519611D5132BB65507A802AE3B7D399591E431435D9A7
                                                                                                                                                                                                                          SHA-512:D7EBF49D62892D159442B1D5AFFBC41527011A9A8C6F1EAB38CFF8E812E46C11E85B997EB646312944FC6483F6056AE4845A06C3171F5CD7BAE85FF5ACCE74F9
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:MDMP..a..... .......PY.f....................................$...........4#...@..........`.......8...........T...........h*...:......................................................................................................eJ......\ ......GenuineIntel............T...........OY.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER16DD.tmp.WERInternalMetadata.xml

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):8482
                                                                                                                                                                                                                          Entropy (8bit):3.702349271080283
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:R6l7wVeJS36j6YXK6XmgmfZa0DRprZ89b8/sf+D0m:R6lXJy6j6Ya6XmgmfEQa8kf+V
                                                                                                                                                                                                                          MD5:29FE6100910C679434B74150B092ED0B
                                                                                                                                                                                                                          SHA1:20874D03AB3F3466D40C427B6781826B23AFB5E6
                                                                                                                                                                                                                          SHA-256:251D4A4D9EE24703C829C6BF83C805FED23732DACE214494093DA1092CF38850
                                                                                                                                                                                                                          SHA-512:BADCF23463D389D08217329DE9F1776E361EDF77F563E6249C9DE90073EC319BABD31189C68F7A8F407B42E22C93770332CA4DFE46A55A1F6F75F1FD134076FD
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.5.3.2.<./.P.i.

                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER172C.tmp.xml

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):4887
                                                                                                                                                                                                                          Entropy (8bit):4.556318399162546
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:48:cvIwWl8zsefJg77aI9JGWpW8VY5Ym8M4JCA2tf8HcFZVP+q8vV2tf8HKIjUPg2jd:uIjf4I7XH7VdJC1sKVPKMsKUUPVjd
                                                                                                                                                                                                                          MD5:CCB0B0A6DFA6E51B7F502DEF3222C583
                                                                                                                                                                                                                          SHA1:E193B542856A015E4630BAE9B16F5AAF38151834
                                                                                                                                                                                                                          SHA-256:ECE4B246AC8EDCD981FB64A6CC1BE749CB7B1FE73105A00D1C30B4657310FE27
                                                                                                                                                                                                                          SHA-512:53886A556AB566215132164A5BFFB84AE130164E457A83A226E5D2AD0889580A95192AF24277A3CC5A021F7266279642759A73BE5CEC833B7A50D8FFDD33CD6D
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="527026" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER173A.tmp.csv

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):80734
                                                                                                                                                                                                                          Entropy (8bit):3.0373207969356733
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:1OxsbQhVnUqpNbkdcmnpLYbGXGaS1Es5fbqqpafU4/tJbUGi:ExsbQh9UgbEcOsbw9S1Es5Vp6R/bbPi
                                                                                                                                                                                                                          MD5:1A141F356712C724DDB52370AF2651F5
                                                                                                                                                                                                                          SHA1:E8EA4546979A0D578731233F59A554EF4CEEB47C
                                                                                                                                                                                                                          SHA-256:83637EFDAF40576FCAA39282BFCDF6E09DFA07663D83DB2D4E4D71A36F6032EB
                                                                                                                                                                                                                          SHA-512:AD449C655BD61673C360AAD6D8011826A4851FDE586802B123A4C9516FBE3040D76A067A1177E372F5AA28F38F1CAA0E2D4F8F8F510919B95FA041513C7705DF
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:I.m.a.g.e.N.a.m.e.,.U.n.i.q.u.e.P.r.o.c.e.s.s.I.d.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.,.W.o.r.k.i.n.g.S.e.t.P.r.i.v.a.t.e.S.i.z.e.,.H.a.r.d.F.a.u.l.t.C.o.u.n.t.,.N.u.m.b.e.r.O.f.T.h.r.e.a.d.s.H.i.g.h.W.a.t.e.r.m.a.r.k.,.C.y.c.l.e.T.i.m.e.,.C.r.e.a.t.e.T.i.m.e.,.U.s.e.r.T.i.m.e.,.K.e.r.n.e.l.T.i.m.e.,.B.a.s.e.P.r.i.o.r.i.t.y.,.P.e.a.k.V.i.r.t.u.a.l.S.i.z.e.,.V.i.r.t.u.a.l.S.i.z.e.,.P.a.g.e.F.a.u.l.t.C.o.u.n.t.,.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.P.e.a.k.W.o.r.k.i.n.g.S.e.t.S.i.z.e.,.Q.u.o.t.a.P.e.a.k.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.P.e.a.k.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.Q.u.o.t.a.N.o.n.P.a.g.e.d.P.o.o.l.U.s.a.g.e.,.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.e.a.k.P.a.g.e.f.i.l.e.U.s.a.g.e.,.P.r.i.v.a.t.e.P.a.g.e.C.o.u.n.t.,.R.e.a.d.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.W.r.i.t.e.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.O.t.h.e.r.O.p.e.r.a.t.i.o.n.C.o.u.n.t.,.R.e.a.d.T.r.a.n.s.f.e.r.C.o.u.n.t.,.W.r.i.t.e.T.r.a.n.s.f.e.r.C.o.u.n.t.,.O.t.h.e.r.T.r.a.n.s.f.e.r.C.o.u.n.t.,.H.a.n.

                                                                                                                                                                                                                          C:\ProgramData\Microsoft\Windows\WER\Temp\WER1798.tmp.txt

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):13340
                                                                                                                                                                                                                          Entropy (8bit):2.6849732918710214
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:96:TiZYW9HXyNYsY+aWrHjYEZPStFik3Ic0+wFaPdarHTSMlBkIel3:2ZDErhZDYarHTSMlBTel3
                                                                                                                                                                                                                          MD5:81F77C86BC2C1CA33D12B3600798B012
                                                                                                                                                                                                                          SHA1:E11B389536977A70BB5F2071DE40ADA6746B0C21
                                                                                                                                                                                                                          SHA-256:C63E039FB3E22D10D0619A86736057A8382CFDDE836A09C98E49A67A2208ADDF
                                                                                                                                                                                                                          SHA-512:8DAFFD5197FD56AE2CAE4F32DC7B5F8F63416214E2A1D3DCEB5C809F417BD12EDE06A8ED34EBD02696E23161F64EBF191AD02BEF14FF4937AA5B7E93DD9C6106
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:B...T.i.m.e.r.R.e.s.o.l.u.t.i.o.n. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1.5.6.2.5.0.....B...P.a.g.e.S.i.z.e. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4.0.9.6.....B...N.u.m.b.e.r.O.f.P.h.y.s.i.c.a.l.P.a.g.e.s. . . . . . . . . . . . . . . . . . . . . . . . . . .1.0.4.8.3.3.3.....B...L.o.w.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2.....B...H.i.g.h.e.s.t.P.h.y.s.i.c.a.l.P.a.g.e.N.u.m.b.e.r. . . . . . . . . . . . . . . . . . . . . . .1.3.1.0.7.1.9.....B...A.l.l.o.c.a.t.i.o.n.G.r.a.n.u.l.a.r.i.t.y. . . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.i.n.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . . . . . . . . . . . .6.5.5.3.6.....B...M.a.x.i.m.u.m.U.s.e.r.M.o.d.e.A.d.d.r.e.s.s. . . . . . . . . . . . . . . . . .1.4.0.7.3.7.4.8.8.2.8.9.7.9.1.....B...A.c.t.i.v.e.P.r.o.c.e.s.s.o.r.s.A.f.f.i.n.i.t.y.M.a.s.k. . . . . . .

                                                                                                                                                                                                                          C:\Users\Public\Desktop\FastestVPN.lnk

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Oct 3 07:43:42 2024, mtime=Thu Oct 3 07:43:50 2024, atime=Thu Jun 27 19:18:16 2024, length=2059432, window=hide
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1747
                                                                                                                                                                                                                          Entropy (8bit):3.2184415494355183
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:80by5JdQE5sDVIcHLAsSd/Z6d/nd/VkIbfd/VKL5m:802Jdn5cTH8sSd/Z6d/nd/Vkcd/VE
                                                                                                                                                                                                                          MD5:B55EE329B8B396586436263B3B4ED74D
                                                                                                                                                                                                                          SHA1:942F6DC68822A7B0905111DDD20BD5336F5EFE66
                                                                                                                                                                                                                          SHA-256:8818475B246F7F5CE5090A30B82D7C8124C452C3CA760786EBB9C1579E52431C
                                                                                                                                                                                                                          SHA-512:640611D6808FC5914B530FB9EABA413FFF11F782C13C7EE01598D860F127B0AC42FF08F232B91426918024D2C8200CB6538F2D42ACD8EDD5713B939FC510A0D5
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:L..................F.@.. ......Yp...y.Y^p......$.....l...........................P.O. .:i.....+00.../C:\.....................1.....CYvE..PROGRA~1..t......O.ICYzE....B...............J.....4<..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....CYzE..FASTES~1..F......CYvECYzE....*.......................(.F.a.s.t.e.s.t.V.P.N.....j.2..l...XH. .FASTES~1.EXE..N......CYvECYvE....G.........................F.a.s.t.e.s.t.V.P.N...e.x.e.......Y...............-.......X...........!.M\.....C:\Program Files\FastestVPN\FastestVPN.exe..0.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.\.F.a.s.t.e.s.t.V.P.N...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.(.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.\.a.p.p.-.i.c.o.n...i.c.o.........%SystemDrive%\Program Files\FastestVPN\app-icon.ico.......................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          File Type:Certificate, Version=3
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1428
                                                                                                                                                                                                                          Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                          MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                          SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                          SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                          SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                          C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):254
                                                                                                                                                                                                                          Entropy (8bit):3.029276819727135
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:kKXS4LDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:vpLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                          MD5:A08125B17A578734064D52BEF3D5F5DE
                                                                                                                                                                                                                          SHA1:E731A0992448A740DA2F5131C608F7D3A3ADFBC8
                                                                                                                                                                                                                          SHA-256:AAAB1F641B579FB44FB1423EB6CE59CAE8D0C96B1C64E770FCA475163C67736B
                                                                                                                                                                                                                          SHA-512:106E5E8C1DDC6AF45444B9B6A7282DE8E4185A64F0502CDEC31F9D3D91C42A1DD3A9106038BA580A9E196765C116F9346EAB00E915FEAB06643A0DF9EECA0711
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:p...... ....l...Up.mp...(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\FastestVPN\FastestVPN.exe_Url_eplmg30frbssdwvao0rtvq0jja20avcl\AppCenter.config (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):166
                                                                                                                                                                                                                          Entropy (8bit):4.816940765206284
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:vFWWMNHU8LdgCQcIMOofqRqLVuXKCWAawLEHJq0Vq4tlKaF9ULVuuQIMOn:TMVBd1IGpOSDH40Vq4t/G3QIT
                                                                                                                                                                                                                          MD5:90401247D5A6AF2729E2F23FBA0A6351
                                                                                                                                                                                                                          SHA1:977D37740A245C9A41AD5B8916C07A699B181A09
                                                                                                                                                                                                                          SHA-256:C4622D6EF948D316ED1C28E5BD2EE8CCE28BE710E9815CA67BDFF4C2648AACA4
                                                                                                                                                                                                                          SHA-512:1F47BC3EFD2AB121663FF12F753DF519DE18CFDE43C79C475D7CEC32D70AFC7CE8A696EBCE5BA2519CBAA4F58FBEDDEC082B3AC6EFCE50996D54A2975B2C27DE
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="AppCenterEnabled" value="False" />.. </appSettings>..</configuration>

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\FastestVPN\FastestVPN.exe_Url_eplmg30frbssdwvao0rtvq0jja20avcl\ew4fhe5c.newcfg

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):237
                                                                                                                                                                                                                          Entropy (8bit):4.807606594598902
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:TMVBd1IGpOSDH40Vq4t/S4JAFQDuq4t/G3QIT:TMHdGGpOiYX4t/rAFQD4t/G3xT
                                                                                                                                                                                                                          MD5:183EBDEC24DDC45FF5E38C915A0F1F2E
                                                                                                                                                                                                                          SHA1:E1FFE9DA68D9F934FD66E0EB15857C9C1F9BC48D
                                                                                                                                                                                                                          SHA-256:6165A855053058DA8ABDE8798FABCD9F0E6ECAD175E52A3DFE0F3CF081C82E4E
                                                                                                                                                                                                                          SHA-512:41F7B750B6CE0B096A3D5FD7ECF6CD1E222C7B26C4FF3F0463B1AAB2D5718245CF4A91AB396B02ED8B125A55E62574D5E11949B95C5A636899CD1A2F4F795D06
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="AppCenterEnabled" value="False" />.. <add key="AppCenterServiceEnabled_analytics" value="False" />.. </appSettings>..</configuration>

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\FastestVPN\FastestVPN.exe_Url_eplmg30frbssdwvao0rtvq0jja20avcl\fybvcvhr.newcfg

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):393
                                                                                                                                                                                                                          Entropy (8bit):4.973481165175838
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:TMHdGGpOiYX4t/rAFQD4t/rA0y4t/KDwgIzNG3xT:2ddY4zrUzRyfv
                                                                                                                                                                                                                          MD5:26F6FFDC6C5D1EA65394F3F76976712E
                                                                                                                                                                                                                          SHA1:518E0EDDAC7CF3F2F99039101ADA2885A5CFA324
                                                                                                                                                                                                                          SHA-256:A5CDFAB76F9187D6221E68BF0F169A965402313AD8B83611C0E1A9DC6FD588F5
                                                                                                                                                                                                                          SHA-512:AFE512915B350B8362BC718154E48D8C59903BB0D5507E196F4E6794893E0FC3A47898F71608BED33AF02E9764F7CF3AE9FD13EFB08BFCABD855C6D61CDFEADD
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="AppCenterEnabled" value="False" />.. <add key="AppCenterServiceEnabled_analytics" value="False" />.. <add key="AppCenterServiceEnabled_crashes" value="False" />.. <add key="AppCenterInstallId" value="575c07ff-d221-4d58-a35d-90db08c3da34" />.. </appSettings>..</configuration>

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\FastestVPN\FastestVPN.exe_Url_eplmg30frbssdwvao0rtvq0jja20avcl\kievvltn.newcfg

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):392
                                                                                                                                                                                                                          Entropy (8bit):4.984630466981951
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:TMHdGGpOiYX/rAFQD4t/rA0y4t/KDwgIzNG3xT:2ddYDrUzRyfv
                                                                                                                                                                                                                          MD5:B483616ECBD0C3E1A73D022030B418DC
                                                                                                                                                                                                                          SHA1:C6B2A0806D3BA14F25A9DEBFF1AF250FB384CABF
                                                                                                                                                                                                                          SHA-256:7FABF2DD85DE4CADFE5B9BDA50828CF71C2E39D4F82DB0FB303DC62A153BA93D
                                                                                                                                                                                                                          SHA-512:7D7B6AB50771E8577EECEA9D5D3C44DE8A9E65A568C50FACFAED67275863FD4EF42E32B27B8BF948F5F00AC12AD783A64A1F9F22535CFBF6F69E99B37853601B
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="AppCenterEnabled" value="True" />.. <add key="AppCenterServiceEnabled_analytics" value="False" />.. <add key="AppCenterServiceEnabled_crashes" value="False" />.. <add key="AppCenterInstallId" value="575c07ff-d221-4d58-a35d-90db08c3da34" />.. </appSettings>..</configuration>

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\FastestVPN\FastestVPN.exe_Url_eplmg30frbssdwvao0rtvq0jja20avcl\oao4fe3t.newcfg

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):391
                                                                                                                                                                                                                          Entropy (8bit):4.98714673507357
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:TMHdGGpOiYX/rAFQD/rA0y4t/KDwgIzNG3xT:2ddYDrPRyfv
                                                                                                                                                                                                                          MD5:3A94FB0A075913386086481BDBEEFBEC
                                                                                                                                                                                                                          SHA1:F83999C767593951396148159A788D2221D4A539
                                                                                                                                                                                                                          SHA-256:016F423EC2E2EED635352BA102793E6BB321A6B61A7BBA6EBB1693EAE2C35B8C
                                                                                                                                                                                                                          SHA-512:5AD62F4A37B35C20DB8028D299333E77935FDE39215F51EA3DD0CF1362CFD7C3DEE1DD80B5856E9FFE2E78ADF6583A2CAA975579CA983CBA1616E25F40597E2F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="AppCenterEnabled" value="True" />.. <add key="AppCenterServiceEnabled_analytics" value="True" />.. <add key="AppCenterServiceEnabled_crashes" value="False" />.. <add key="AppCenterInstallId" value="575c07ff-d221-4d58-a35d-90db08c3da34" />.. </appSettings>..</configuration>

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\FastestVPN\FastestVPN.exe_Url_eplmg30frbssdwvao0rtvq0jja20avcl\q4uroh5l.newcfg

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):306
                                                                                                                                                                                                                          Entropy (8bit):4.786578375552194
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6:TMVBd1IGpOSDH40Vq4t/S4JAFQDuq4t/S4JAHUfq4t/G3QIT:TMHdGGpOiYX4t/rAFQD4t/rA0y4t/G3p
                                                                                                                                                                                                                          MD5:9BD7587F34E11ECFAD8B5DEEED8364B6
                                                                                                                                                                                                                          SHA1:93765EE7A4A27B2F84134001FAAB307984BD58BE
                                                                                                                                                                                                                          SHA-256:B9870C1A6239C96F710CEB8B8E21A745433A8C8151B0D2FD9C17A0D2C4AB1C29
                                                                                                                                                                                                                          SHA-512:7B0B26DFE2CD19BF210AE3E916D95D9EE97D6677C11979D2F8787C2EC9F682FC52078B4D126BC4671661CFD98EF8D7C9AE18F9AE5F8D6DF141F8B25B52A5D5C3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="AppCenterEnabled" value="False" />.. <add key="AppCenterServiceEnabled_analytics" value="False" />.. <add key="AppCenterServiceEnabled_crashes" value="False" />.. </appSettings>..</configuration>

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\FastestVPN\FastestVPN.exe_Url_eplmg30frbssdwvao0rtvq0jja20avcl\ryak0jzb.newcfg

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):166
                                                                                                                                                                                                                          Entropy (8bit):4.816940765206284
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:vFWWMNHU8LdgCQcIMOofqRqLVuXKCWAawLEHJq0Vq4tlKaF9ULVuuQIMOn:TMVBd1IGpOSDH40Vq4t/G3QIT
                                                                                                                                                                                                                          MD5:90401247D5A6AF2729E2F23FBA0A6351
                                                                                                                                                                                                                          SHA1:977D37740A245C9A41AD5B8916C07A699B181A09
                                                                                                                                                                                                                          SHA-256:C4622D6EF948D316ED1C28E5BD2EE8CCE28BE710E9815CA67BDFF4C2648AACA4
                                                                                                                                                                                                                          SHA-512:1F47BC3EFD2AB121663FF12F753DF519DE18CFDE43C79C475D7CEC32D70AFC7CE8A696EBCE5BA2519CBAA4F58FBEDDEC082B3AC6EFCE50996D54A2975B2C27DE
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="AppCenterEnabled" value="False" />.. </appSettings>..</configuration>

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\FastestVPN\FastestVPN.exe_Url_eplmg30frbssdwvao0rtvq0jja20avcl\yv5wnvqp.newcfg

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):390
                                                                                                                                                                                                                          Entropy (8bit):4.980960609601564
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:TMHdGGpOiYX/rAFQD/rA0y/KDwgIzNG3xT:2ddYDrP7fv
                                                                                                                                                                                                                          MD5:F74D25B2003C0D1C17A77FFCD34063D5
                                                                                                                                                                                                                          SHA1:43B9382EA948EC0D38B86F53B1D4DCD67785A334
                                                                                                                                                                                                                          SHA-256:25F7612985076526BB3611F8BCC58D5C6033CDD14F2D6BADABDF9CE1BD590D4F
                                                                                                                                                                                                                          SHA-512:B40AABC8DBBA0C9A2699B03C830D089999DA8F7889A0F5D7FC5DA6112EF19C8BB09C3B51C36DD7AAFBE1C1D58A0E00251AF1E4C2CF35448B18B5D393CDCD198D
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <appSettings>.. <add key="AppCenterEnabled" value="True" />.. <add key="AppCenterServiceEnabled_analytics" value="True" />.. <add key="AppCenterServiceEnabled_crashes" value="True" />.. <add key="AppCenterInstallId" value="575c07ff-d221-4d58-a35d-90db08c3da34" />.. </appSettings>..</configuration>

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\FastestVPN\localdata.xml

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):554
                                                                                                                                                                                                                          Entropy (8bit):5.190490363715085
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12:TMHdha8iPibgvv5K/jIDkcJ//0b6QnQxUrrCYb:2dk8avv5KER5yZp
                                                                                                                                                                                                                          MD5:770A9E878C690857807301C669D8002B
                                                                                                                                                                                                                          SHA1:EAEB35A2A438ADEE17B4020D4832355769EB2013
                                                                                                                                                                                                                          SHA-256:F54977607FE77962DC2E7CC4FC0AED2990D25A249E58AA9813F42EFD0CF51200
                                                                                                                                                                                                                          SHA-512:1E223D5C4213517B3400B887F320E42F19BC3C3F974ED4A4FBFA48157E2D5030BDA6DD9800A477DBE7FD8E76860DC24EE947F1FD9EE67294A5A9A6C1E8666CD3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8"?>..<Settings xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">.. <SplitTunnelingStatus>false</SplitTunnelingStatus>.. <HasSeenSplitTunneling>false</HasSeenSplitTunneling>.. <ConnectOnLaunch>false</ConnectOnLaunch>.. <EnableAdBlock>false</EnableAdBlock>.. <RedialOnDrop>false</RedialOnDrop>.. <IsIKSEnabled>false</IsIKSEnabled>.. <IsConnectFallbackEnabled>false</IsConnectFallbackEnabled>.. <IsMinimizeLaunchEnabled>false</IsMinimizeLaunchEnabled>..</Settings>

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FastestVPN.WindowsService.exe.log

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                          Size (bytes):1803
                                                                                                                                                                                                                          Entropy (8bit):5.3407719505798275
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:48:MO8mH2HKlIHoVnM6YHKh3oPtHo6hAHKzeEHKKHKx1qH6HKmTH3:fWqlIIVM6Yqh3oPtI6eqzPqKqxwaqqX
                                                                                                                                                                                                                          MD5:077007B5E9C8A61A51283FAC0B0B1260
                                                                                                                                                                                                                          SHA1:F9EABAC9D0664999C4D46AEB57C99D9041FD7F49
                                                                                                                                                                                                                          SHA-256:DD99B5C1E5B54D11E9BE692C4201D18FC5CF4764B5EFFA232EFF142617F9EA2A
                                                                                                                                                                                                                          SHA-512:007E65ABAA38E36B0DD4DD58EDFFDD4538B0F6D269F7067FEED2176DE1971EACF39E0E4BCF4365A383765C1DD49DDD2BFFA044EF94A8B50BB4270A17B74411FF
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Confe64a9051#\48ee4ec9441351bbe4d9095c96b8ea01\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.X

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FastestVPN.exe.log

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1785
                                                                                                                                                                                                                          Entropy (8bit):5.341273156781821
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:48:MxHKlYHKh3ouHgJHreylEHMHKo1AmHKntHo6hAHKzeR:iqlYqh3ou0aymsqu/qntI6eqzm
                                                                                                                                                                                                                          MD5:595CF857FACB9D100C163C39E2F2FE08
                                                                                                                                                                                                                          SHA1:BD30AB70391652932B3BE7EF5D84A9B4C617B7FF
                                                                                                                                                                                                                          SHA-256:A2E82A1EA4819A2C30BB6C841870CDA86A8DF0DF1B7ED5D18DC707F1B3962995
                                                                                                                                                                                                                          SHA-512:A583D205C967908D847EC7EAD1ED1E039E9BAE253406690D71E621108189374E15E4BAE206C492D85E971EEBD18B8B7A621D686802B4D57126DDB4A1CFFE2ADA
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\WindowsBase\4d760e3e4675c4a4c66b64205fb0d001\WindowsBase.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\17470ef0c7a174f38bdcadacc3e310ad\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1312
                                                                                                                                                                                                                          Entropy (8bit):5.396213098882986
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:3T1WSKco4KmM6GjKbmOIlas4RPQoUP7mZ9tXt/NK3R88bJ0mrqtf:j1WSU4Yym/x4RIoUP7mZ9tlNWR83mA
                                                                                                                                                                                                                          MD5:B35132487F6684BAD9C17915DCE94270
                                                                                                                                                                                                                          SHA1:F90D2642E2BB6EE331220827F3EF1BD908355629
                                                                                                                                                                                                                          SHA-256:FE742A4703C4443AA6D12D18A9F130169CE79EE0F371BACBB17F1CA82FD2811C
                                                                                                                                                                                                                          SHA-512:D46045587F1D97D8FEE50B753FEAF2B82AEACCDE952961F9FEA844AEE6B3A29885035F8A2802D5C4F00F77F96D7A07FEB8CA3EE59DD0E4FFDED6FD24A91B06B3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:@...e...........................................................P................1]...E...........(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..4.....................@.[8]'.\........System.Data.L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.8..................1...L..U;V.<}........System.Numerics.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_1tsspvpj.201.ps1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_j1dwx3sg.lmf.psm1

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):60
                                                                                                                                                                                                                          Entropy (8bit):4.038920595031593
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                                                                                                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                                                                                                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                                                                                                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                                                                                                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-EKRPK.tmp\_isetup\_setup64.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:PE32+ executable (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):6144
                                                                                                                                                                                                                          Entropy (8bit):4.720366600008286
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:96:sfkcXegaJ/ZAYNzcld1xaX12p+gt1sONA0:sfJEVYlvxaX12C6A0
                                                                                                                                                                                                                          MD5:E4211D6D009757C078A9FAC7FF4F03D4
                                                                                                                                                                                                                          SHA1:019CD56BA687D39D12D4B13991C9A42EA6BA03DA
                                                                                                                                                                                                                          SHA-256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95
                                                                                                                                                                                                                          SHA-512:17257F15D843E88BB78ADCFB48184B8CE22109CC2C99E709432728A392AFAE7B808ED32289BA397207172DE990A354F15C2459B6797317DA8EA18B040C85787E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d.....R..........#............................@.............................`.......,......................................................<!.......P..H....@..0.................................................................... ...............................text............................... ..`.rdata..|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...H....P......................@..@................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\Desktop\PVUfopbGfc.exe
                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):3045888
                                                                                                                                                                                                                          Entropy (8bit):6.41066353205617
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:49152:pdJYVM+9JtzZWnoS2VC23aun8+f5KuGP+VYNCWNtdH333tQ:PJYVM+LtVt3P/KuGP+VYNCuf333i
                                                                                                                                                                                                                          MD5:259E3EE4646FC251C3513EEF2683479F
                                                                                                                                                                                                                          SHA1:BE09457567F0562E8942A28BD90759F6DCE6DCB5
                                                                                                                                                                                                                          SHA-256:BD9F32A9B7B9663A3AFDD1DC0CCC3D6423783B360DB341691FE2FE71C543EC53
                                                                                                                                                                                                                          SHA-512:56607419EF2E2F98A8DAA6478DEA4B49925F4A17AB649E450F34331490281E2FCF976F17813F1A80FA460EE258C02901528A43B508093098135C1FADB5902B24
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L.....gf..................*...........*.......*...@..........................P/...........@......@...................P,.n.....,.j:....,.$....................................................p,.......................,......@,.(....................text.....*.......*................. ..`.itext..$.....*..0....*............. ..`.data.........*.......*.............@....bss.....|....+..........................idata..j:....,..<...f+.............@....didata.(....@,.......+.............@....edata..n....P,.......+.............@..@.tls....X....`,..........................rdata..]....p,.......+.............@..@.rsrc...$.....,.......+.............@..@.............`0......./.............@..@........................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\SETF8B5.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7537
                                                                                                                                                                                                                          Entropy (8bit):5.046488463217706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlQd22bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGMdkxzo3DcNSj6jvKFkinuEQTXvzq
                                                                                                                                                                                                                          MD5:50D29CA2E3DDB8A696923420EC2AC4FA
                                                                                                                                                                                                                          SHA1:D85F4E65FE10F13DED1780DDBD074EDFC75F2D25
                                                                                                                                                                                                                          SHA-256:817DFF7F4944A255A0A33B8D74EB60A755D8D268CC7AFD46FCE41E102E0A004B
                                                                                                                                                                                                                          SHA-512:03778A9CDDD23639C88E24BB5D0446DA3A400BB6B3321FB35887CD23D88D0F7AD3FE911642CC7F8D16D29CD9E42106851B0028379E8DBCB3C6721C238FC4A0D3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\SETF8D5.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10711
                                                                                                                                                                                                                          Entropy (8bit):7.2254581318251425
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:PqDhDNF748XJCO39JnxrEwJqKkhYCxXA6qnaj/rHr:OXPJxXxkh3xXhlzX
                                                                                                                                                                                                                          MD5:225E7BA0E5E2D46813E5C858A4D0D5B0
                                                                                                                                                                                                                          SHA1:5DD49014764F634164520583FD0CEC87AB1A1625
                                                                                                                                                                                                                          SHA-256:B0BAF5CB84FA4ACB34B77A6231052061DA6B8676D216833724B7A602622161FB
                                                                                                                                                                                                                          SHA-512:9C77ADF7E71ACA94489DFEB536F796A017B7C05771962274BAE2C614E2AE6799CCEB36CC58AC470184C37F52DEAC75988BB14E6A329F432C6D7CEDBCA18272A8
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0.)...*.H........).0.)....1.0...`.H.e......0..M..+.....7.....>0..:0...+.....7..........dG.'$....g..191023085812Z0...+.....7.....0..T0.... .}..ID.U..;.t.`.U..h.z.F.......K1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .}..ID.U..;.t.`.U..h.z.F.......K0....._Ne...=.....N.._-%1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0.....D.......L..S.4..b.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... .?;..{.x....H..4...k).VB.......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .?;..{.x....H..4...k).VB...........0...0....+.

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\SETF8E6.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):39920
                                                                                                                                                                                                                          Entropy (8bit):6.333649052940754
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:bCxLEO/+ApBG35KBOXZZoZmTD11a+uiExMFYQjdJxh63NOe:tCI46F1a+jExMFFjzv69
                                                                                                                                                                                                                          MD5:059E578D456043A8C3B76EC365B375F3
                                                                                                                                                                                                                          SHA1:42189B6A1B8C736397113BFC2283F5E1E1A44E8E
                                                                                                                                                                                                                          SHA-256:A0170CF78105CE757E0549D79E4AE7C412240E8B81D262A24D76A047F181F881
                                                                                                                                                                                                                          SHA-512:99E6B6AF018D0E3509D9DBE00301A7D5D6645A2070A8144ACFF04842F8BBACCD81E7651578D08F47639CD2B7D00EB64ACDDFA8725BCE9A073580B7FCF7964E6A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......].........."......Z.....................@....................................P.....`A....................................................<.......X....p..H....x...#...........R..8............................S...............P...............................text...W>.......@.................. ..h.rdata..|....P.......D..............@..H.data........`.......P..............@....pdata..H....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\oemvista.inf (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7537
                                                                                                                                                                                                                          Entropy (8bit):5.046488463217706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlQd22bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGMdkxzo3DcNSj6jvKFkinuEQTXvzq
                                                                                                                                                                                                                          MD5:50D29CA2E3DDB8A696923420EC2AC4FA
                                                                                                                                                                                                                          SHA1:D85F4E65FE10F13DED1780DDBD074EDFC75F2D25
                                                                                                                                                                                                                          SHA-256:817DFF7F4944A255A0A33B8D74EB60A755D8D268CC7AFD46FCE41E102E0A004B
                                                                                                                                                                                                                          SHA-512:03778A9CDDD23639C88E24BB5D0446DA3A400BB6B3321FB35887CD23D88D0F7AD3FE911642CC7F8D16D29CD9E42106851B0028379E8DBCB3C6721C238FC4A0D3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\tap0901.cat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10711
                                                                                                                                                                                                                          Entropy (8bit):7.2254581318251425
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:PqDhDNF748XJCO39JnxrEwJqKkhYCxXA6qnaj/rHr:OXPJxXxkh3xXhlzX
                                                                                                                                                                                                                          MD5:225E7BA0E5E2D46813E5C858A4D0D5B0
                                                                                                                                                                                                                          SHA1:5DD49014764F634164520583FD0CEC87AB1A1625
                                                                                                                                                                                                                          SHA-256:B0BAF5CB84FA4ACB34B77A6231052061DA6B8676D216833724B7A602622161FB
                                                                                                                                                                                                                          SHA-512:9C77ADF7E71ACA94489DFEB536F796A017B7C05771962274BAE2C614E2AE6799CCEB36CC58AC470184C37F52DEAC75988BB14E6A329F432C6D7CEDBCA18272A8
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0.)...*.H........).0.)....1.0...`.H.e......0..M..+.....7.....>0..:0...+.....7..........dG.'$....g..191023085812Z0...+.....7.....0..T0.... .}..ID.U..;.t.`.U..h.z.F.......K1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .}..ID.U..;.t.`.U..h.z.F.......K0....._Ne...=.....N.._-%1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0.....D.......L..S.4..b.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... .?;..{.x....H..4...k).VB.......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .?;..{.x....H..4...k).VB...........0...0....+.

                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\tap0901.sys (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):39920
                                                                                                                                                                                                                          Entropy (8bit):6.333649052940754
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:bCxLEO/+ApBG35KBOXZZoZmTD11a+uiExMFYQjdJxh63NOe:tCI46F1a+jExMFFjzv69
                                                                                                                                                                                                                          MD5:059E578D456043A8C3B76EC365B375F3
                                                                                                                                                                                                                          SHA1:42189B6A1B8C736397113BFC2283F5E1E1A44E8E
                                                                                                                                                                                                                          SHA-256:A0170CF78105CE757E0549D79E4AE7C412240E8B81D262A24D76A047F181F881
                                                                                                                                                                                                                          SHA-512:99E6B6AF018D0E3509D9DBE00301A7D5D6645A2070A8144ACFF04842F8BBACCD81E7651578D08F47639CD2B7D00EB64ACDDFA8725BCE9A073580B7FCF7964E6A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......].........."......Z.....................@....................................P.....`A....................................................<.......X....p..H....x...#...........R..8............................S...............P...............................text...W>.......@.................. ..h.rdata..|....P.......D..............@..H.data........`.......P..............@....pdata..H....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\FastestVPN.lnk

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Thu Oct 3 07:43:42 2024, mtime=Thu Oct 3 07:43:50 2024, atime=Thu Jun 27 19:18:16 2024, length=2059432, window=hide
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1771
                                                                                                                                                                                                                          Entropy (8bit):3.221525648551146
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:80fy5JdQE5sDVIcHLAsed/Z6d/nd/VkIbfd/VKL5m:80yJdn5cTH8sed/Z6d/nd/Vkcd/VE
                                                                                                                                                                                                                          MD5:475DAA59388F244A08F5B442DDCC5B1B
                                                                                                                                                                                                                          SHA1:CDD4F1C147B202FFB1893701C42CA1054BD6FD8C
                                                                                                                                                                                                                          SHA-256:C2FCEFE3C9F3285586677A764A9E014FCC9088C2B06D6EABE88211C7755BC6FB
                                                                                                                                                                                                                          SHA-512:54F17D20ACAFDACA87C101B2130510BC0BAC18B631210EB04242CF10A34F0F3D25B16FAB3D23B29D322517C4F10E776F46DC1FB830B9BC573CCD2B97998BC6FB
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:L..................F.@.. ......Yp....ye^p......$.....l...........................P.O. .:i.....+00.../C:\.....................1.....CYvE..PROGRA~1..t......O.ICYzE....B...............J.....4<..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....CYzE..FASTES~1..F......CYvECYzE....*.......................(.F.a.s.t.e.s.t.V.P.N.....j.2..l...XH. .FASTES~1.EXE..N......CYvECYvE....G.........................F.a.s.t.e.s.t.V.P.N...e.x.e.......Y...............-.......X...........!.M\.....C:\Program Files\FastestVPN\FastestVPN.exe..<.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.\.F.a.s.t.e.s.t.V.P.N...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.(.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.\.a.p.p.-.i.c.o.n...i.c.o.........%SystemDrive%\Program Files\FastestVPN\app-icon.ico...............................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FastestVPN.lnk

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Icon number=0, Archive, ctime=Thu Oct 3 07:43:42 2024, mtime=Thu Oct 3 07:43:50 2024, atime=Thu Jun 27 19:18:16 2024, length=2059432, window=hide
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1801
                                                                                                                                                                                                                          Entropy (8bit):3.237518895368436
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24:8UYy5JdQE5sDVIcHLAsQd/Z6d/SCqd/VkIbfd/VKL5m:8UJJdn5cTH8sQd/Z6d/sd/Vkcd/VE
                                                                                                                                                                                                                          MD5:1D1AD03F120F2C84153D196ED3AFB8C4
                                                                                                                                                                                                                          SHA1:6984A0A481EB1A4AF5373DA227E2DB1E84CF8110
                                                                                                                                                                                                                          SHA-256:DC77B79604F655E9CA17E0FBE965E2F56D49F941AF014514F4A2B0A1E846CEBC
                                                                                                                                                                                                                          SHA-512:13003C3E9EB8FFD5F568F04BB4CBA053F1C6721D31B999A2713DC5368C714CFC701BF326D00583BB774435AC8EDA63125104B383D59081BD25F6BBE7C03C0719
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:L..................F.@.. ......Yp....eq^p......$.....l...........................P.O. .:i.....+00.../C:\.....................1.....CYvE..PROGRA~1..t......O.ICYzE....B...............J.....4<..P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....^.1.....CYzE..FASTES~1..F......CYvECYzE....*.......................(.F.a.s.t.e.s.t.V.P.N.....j.2..l...XH. .FASTES~1.EXE..N......CYvECYvE....G.........................F.a.s.t.e.s.t.V.P.N...e.x.e.......Y...............-.......X...........!.M\.....C:\Program Files\FastestVPN\FastestVPN.exe..B.....\.....\.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.\.F.a.s.t.e.s.t.V.P.N...e.x.e...C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N...-.a.u.t.o.r.u.n.(.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.F.a.s.t.e.s.t.V.P.N.\.a.p.p.-.i.c.o.n...i.c.o.........%SystemDrive%\Program Files\FastestVPN\app-icon.ico.................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\desktop_drop_plugin.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):321936
                                                                                                                                                                                                                          Entropy (8bit):6.249416182192696
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:49C2dRHqGR0N9BdVLATWWFQEDyhNSDEAIjUoMfqC9ulMdUBIKL:Z2dRHqGRyhAT9FxoSIAIx/C9ulMe2KL
                                                                                                                                                                                                                          MD5:5C1752EF16C7E3B28D9662E3C08FB08F
                                                                                                                                                                                                                          SHA1:4B3F3BE508D4C6CD8374FBB812EE30E99F8128C0
                                                                                                                                                                                                                          SHA-256:1BF45DF354D53D400EAF644E205DADDB0C07B408EB0C03D8CCFF765BD6659FB3
                                                                                                                                                                                                                          SHA-512:296F8AA642527C3A2364B9FA0E1C9F3EE3B7AD6F82D51685F71601F4E4A0E5DA5327FF1E1884F6264E7961417D54028B4E9BBE1B836968FF0F9D6685EBEE0327
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z.H.;...;...;..6K...;..6K..q;.......;.......;.......;..6K...;..6K...;...G...;...;...;.......;.......;....p..;.......;..Rich.;..........................PE..d...O.wf.........." ...(.*...........0....................................... ......h1....`..........................................t..t...Du..x................-..............................................(.......@............@...............................text...,(.......*.................. ..`.rdata..rC...@...D..................@..@.data...x7....... ...r..............@....pdata...-..........................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\desktop_multi_window_plugin.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):397712
                                                                                                                                                                                                                          Entropy (8bit):6.40156340476818
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:ThaEhq4cY0f8IlE6BZR2nUx9lYOUgLZUrd:T4EhqR5lE6xSUx9lYOUg6rd
                                                                                                                                                                                                                          MD5:42C063882FD7CEDD3CC62356450D8987
                                                                                                                                                                                                                          SHA1:A09DB77F70A6F7D7C59418FC08250A8E13E8A60D
                                                                                                                                                                                                                          SHA-256:37D1EBFC8F423BF02DEC598C6421E4124C8C5666C27782180D84003039E88DFF
                                                                                                                                                                                                                          SHA-512:77AC9C670F91059B2CAA12DA9B5417CD71D525F900B7DDA51FFCF499AA2882734B342F6803814C6FDE1B527C9742ED9CF67AB1EE8D141CB437B57C979D89B456
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q{.?...l...l...l.j.m...l.j.m...l.j.m...l..m...l..m...l..mY..l.j.m...l.f.m...l...m...l...l...l...m...l...m...l..zl...l...l...l...m...lRich...l........PE..d...j.wf.........." ...(.....L......l........................................0......E.....`..........................................*......x+..........h[.......3........... ..`...............................(...p...@............................................text...|........................... ..`.rdata...o.......p..................@..@.data....?...@...(...2..............@....pdata...3.......4...Z..............@..@.rsrc...h[.......\..................@..@.reloc..`.... ......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\file_selector_windows_plugin.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):346512
                                                                                                                                                                                                                          Entropy (8bit):6.253406880555808
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:sQz5UqJwVKCsnOeuj9PDnBQpUZyNVHhl/FPTCgTx:sQ1UqChsnOeMhBaQy9l/FPW0x
                                                                                                                                                                                                                          MD5:9641732F1DB2EAB135130C9128C1427A
                                                                                                                                                                                                                          SHA1:88B0857CFE055A1D920E55B3094116162E4EAA00
                                                                                                                                                                                                                          SHA-256:B47CD11E4089FE0AE8BAF4E05B4CCF19B1DFE403FD392649E9253C05D58F3CBC
                                                                                                                                                                                                                          SHA-512:5C87B26E51771B61FDF87D577781B1FB163527D0F03E74327BC11EA1A24B1B449D4AB23F7393466ED4BAF3809A5151EB30928F462B5FCD55BB8DE4BD733856A8
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]..B........................f......f......f..J.............................a......a......aZ.....a.....Rich...........PE..d...r.wf.........." ...(.p...........v...............................................=....`.........................................p...|.......x....`....... ...1...........p..,...PK.......................M..(....J..@............................................text...`o.......p.................. ..`.rdata...V.......X...t..............@..@.data...T8......."..................@....pdata...1... ...2..................@..@.rsrc........`....... ..............@..@.reloc..,....p......."..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\flutter_custom_cursor_plugin.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):313744
                                                                                                                                                                                                                          Entropy (8bit):6.2705364965004815
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:7OqwvZdI0CglL0fN5ra4KBb5cSgQkJjMoplVNLQDrkHW:6qwvigF0fN5OB5dgQkBplVNLQDeW
                                                                                                                                                                                                                          MD5:2EEEB7F9DCC44DC28CBFBAF94176CA6F
                                                                                                                                                                                                                          SHA1:65055D6EE4E5A322DB3C74B0EF8CDADECDB32737
                                                                                                                                                                                                                          SHA-256:966DDE59F9ABD125F763A95273BF923C2543A4B9F43F6F0C5587CCA308BD9FFD
                                                                                                                                                                                                                          SHA-512:5919481A1768E9B19CE79ADDDFFC25A6BCDA326232FEB6E61729C2173292F3E2EC7266C646090DCC061A2E9643084583E43947774FDF76842316249B3B2E911F
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......@D..%...%...%...U...%...U..%...U...%......%......%.....H%...U...%...Y...%...%..}%.......%.......%....v..%.......%..Rich.%..................PE..d...t.wf.........." ...(.................................................................`.........................................0].......]..P................,..............................................(.......@............0..x............................text...,........................... ..`.rdata..h;...0...<..................@..@.data....7...p.......T..............@....pdata...,...........r..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\flutter_gpu_texture_renderer_plugin.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):344464
                                                                                                                                                                                                                          Entropy (8bit):6.268258211828341
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:eyhvW10qILfhXrbR0fkN0addZrKKOYQ9gsYlFtx/pP8fW5:eyhW0qIF10fkNBvgK5QRYlFtxxP8fW5
                                                                                                                                                                                                                          MD5:E6C6C72226677BACF6EC83BEDA63F49D
                                                                                                                                                                                                                          SHA1:C0E75C5A5B9D7C8CD07E80A2BA4D809801EFF649
                                                                                                                                                                                                                          SHA-256:2018F17E324516FC891E5C868E2045970855A3A1521D73F0F6AE12EBF12CFBBA
                                                                                                                                                                                                                          SHA-512:3A52B60711EFB4A34E5FF655E60D51A29C6D4B2CD4561A421A51647D5FCB2C75F1468A8F93C25206EDEBCF259112A4C7DA41F90181FF7E53946E1FFF5FB3F353
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........@..!...!...!...Q...!...Q..l!...Q...!.......!.......!......!...Q...!...]...!...!..C!......!......!...~..!......!..Rich.!..........................PE..d...z.wf.........." ...(.l...........e...............................................j....`.........................................0.......8...<....`....... ...2...&.......p.......M.......................O..(....L..@...............x............................text...tj.......l.................. ..`.rdata...Q.......R...p..............@..@.data....=......."..................@....pdata...2... ...4..................@..@.rsrc........`......................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\flutter_windows.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):17983376
                                                                                                                                                                                                                          Entropy (8bit):6.549243204630475
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:98304:2M5ISKnKKu/60i9gzTcriqcN9MX4C7GsIAfiz8xS6RWhi62KFfQWmLu2EkKZ3uNx:xO6ggzLI7op6Rt69L2kuNx
                                                                                                                                                                                                                          MD5:E3E8D995E4A1D5E84EE11DBD58D21F3B
                                                                                                                                                                                                                          SHA1:52E7AFB03DD3F45F7B8839879FEC1ACC7965A62E
                                                                                                                                                                                                                          SHA-256:29782AC1F424865FA1007A5F818F35ABB5307B01C099AAA38067513E516A0454
                                                                                                                                                                                                                          SHA-512:F4FB26D4DC2D91D36FD8F26B9BE6B74F50DF94DE530AFDD8D2D5E9D6D6300B52FB9C6EFBD94A95D630094CE59D5D1AA1B898F810BE8806B7E9DFC5466D312659
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............J..J..J..fJ..J...K..J...K..J...Ko.J...K..J...K..J...K..J...K..J..Jh.J..J..Jr..K..Jr..K..JRich..J........................PE..d...]. f.........." ...".d....=......;....................................................`.........................................0[.......b...............p.......L..................T.......................(...`...@....................Y..`....................text... b.......d.................. ..`.rdata....-.......-..h..............@..@.data................v..............@....pdata.......p......................@..@_RDATA..\............2..............@..@.reloc...............4..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\geek.dxf

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):929318
                                                                                                                                                                                                                          Entropy (8bit):7.900306716974538
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:24576:+20deSdhsNk795wZ08KxwK29H7hfnn3MQYa:+20ddsy95WKxwKQnc2
                                                                                                                                                                                                                          MD5:2D1F8BF06610A54B8A61894239012C3B
                                                                                                                                                                                                                          SHA1:98BA3AEC7A32B6BCB264B51364A0A8A664E4FE82
                                                                                                                                                                                                                          SHA-256:8FAFAB1032577F2EDC583C676A9BBFEECF929B5BE22950183C9A77BC2123798B
                                                                                                                                                                                                                          SHA-512:AE9DB2DEA48BFC54274975306FA98921882EA43A590DCF60733B964253C3E9D97BE9CC97F45F18ECCB65802C0EC4599BAFBFF781FE635D6364BD0B657C95655E
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:..]r.U..x..F.q...aI..`vkqqNsSLg..b..F.Iq`..o`y.gm.N._a.lJF.D\FpNm.RRYR.b.to.r.mhG.x.._...F.f.WO.nH..l.ldPH.[m..h..r..YX..mq....i.Q....F....H.m..r...N.JY\k.`T..nLx].oqf..........b.hV.m.TWicY.dpV....IE.d.Tjs.^tS..CUW..F....\......r.yrs.C.I.Xcql..c.....qe.K..T.^..q.i.B.NV_...gk..ACuS..n..]..g.O.yX.....u.J^dPj.g.mHP....E]B..h...HtjI.M\.^.cs.H...q...........p.x^..urE...C`..K..h...`i.M.H...^.Pt..S..p...Y.TP...E.M....\...k.S.m.Hu...Q.....juxX.s.gUG..wrAT[.gc..H...V....j.h.kL...Kgd[bMW...EKa.h..jw....D........F..qFC..Q.HFS.Z.L.....h.B.r...`.xqZ..O.bK.I_kEChAWH`.K..b.kqG.k..cw.i..x...d.yC.....R...^[]]\JD.u\v.HM.....p.a.y]ugLa..Dc.f.MSa[^.sV.Z.hWdD..nRr.V..D.h.Zx.D....O.guI]W.f.].qw.y.UPyO..T.Em.eV..p.^L.j.lPh....jMY.g.Vf.K.YHp[grw.kbx..T.V.]SQm..Eg.\...^q...u.gTh..w..wJ...a.bc..b.....gQo..TtjB.TU....eA..QY....V...uf..B.\oh.w.J.D..R.....x..[_.m..wMD.c.Er.D..E_f...Cm.HX].CKb....E..S...H..Dj.d...kNa.^F...s.teH..w......w......Q.i.d.XD..n..S...u....M.OS.....M...rS.E.G.h.R.\U.N.ASoEw.a.B...O`..DO.Ck.

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\gymnasium.m4a

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):63258
                                                                                                                                                                                                                          Entropy (8bit):4.638400083452387
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:PcJillRMp5RLRYkKJdcmFT38Q9aSePEUX5:PcJiDRMD9YdtePz5
                                                                                                                                                                                                                          MD5:127A512367895E269AD9922079C47761
                                                                                                                                                                                                                          SHA1:7444878FEF13B7B4FCBE57D2DB2C527A34CA48C5
                                                                                                                                                                                                                          SHA-256:E841508B1B3D7615F17E691334ECB6B1A7F7A83BC531BFF272E85F048AA3DDFD
                                                                                                                                                                                                                          SHA-512:90E486FA09945BCCBD24542C31F832BEC4AA6EAE7D7A1522526018D0AC38CE855F545E1AB7AEFA1B6F7D78E6F0C8333A607E8A9BF1DCFA74E9E4F3B113AFD15F
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.c.jPxZ...PF...L.f.Ih..t...[.....O...O.o..l...Y.u.....mZ^P...u.v.l...E...W....f.....d.u...M.J.Nyd.i....uH.o.Jid.E..^..x..x.Z..kfmuexCyd.RD._Cm...]G....jwcu.q[.xx..Vj.bsRP.lh...t..j..s...f.ZgNgGc.....Rdk.sHK..q[jD.S.f.i.aZWv..F.O.tp...Zs.n..S..o..be.....d.^Xe..QpnXhy^..eVU..qwe_...[MZ..MTbS.j..n..u..]y.u.t..J.rcm..`e.y...IF..N\..Wt..uOE.dQ..^b..ksh.q..p.U..aLW.EfqS.H.Lm.p.OA..Sa...EY.vUbN.D.V..KqdWL....pE..Enuj.RG.`.R.s....mV.W.i...nc.a.^.m...hg...a...FGX..J...E`....\Z...U...Q....II..xk.]L.mX]........W.F.X.k.f..^M[.....y.Oj.h.eOk_Dj..QRT..SK`.T..G^..n.t..\N..CR.l...G..p..r..V..NoUZVJH.ld..Y.h..jVT.n..S..poIbY.X`.F.mp.BoZ.rW..Wo..b.TI.].RmK.pY..^..F..gRc..q....v..WGn.......C]g...Qh..\Mq..._.....kXB..HV.I]...D.ZIDW[...K.A..H.Pt..O....xJtu......J....^o..J.....WWY..L.VE........b.....[..oA_.n.ac...MKn..W.Q.maX........s..s..c[...Ij....Mu.ux...tPT.\.[..F..gpAH..mA...U..N...mE..y.\..q.C.gG..o..Kms.LL.P\.....cPDD.g.Y.rJZ.aF.iTA....].S.NL.r...l..]...n.`.]`..G^QQuPhO.DL.k.S_y.hD._..sour.i.wfg..`yI

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\screen_retriever_plugin.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):545680
                                                                                                                                                                                                                          Entropy (8bit):6.371479071684404
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:8xqABhfuM6KsuJPR9K+EvLHhDcsgsEO5CllKDh/eF4:8xqDM9+lHNcsgACllKDh/eF4
                                                                                                                                                                                                                          MD5:2D885495E81A8B8D1D5305FE20566484
                                                                                                                                                                                                                          SHA1:F1D2083D399DD48927CBD83E23F90AD3CE3E0632
                                                                                                                                                                                                                          SHA-256:EB2E18881DDD80A3E54527264B3E7C5046F15854A196B76CCAD28E8258F3F1B2
                                                                                                                                                                                                                          SHA-512:E2BB9F8E377B381CC13538B39E8B3FB749341FCEF84E7B26749BF35141C6C52A48636BB00C6FA7C585EEC4C01B03CD0EC38C8F3E85E0CA2C2CDA26D026DEF326
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Do!O..O...O...O..~L...O..~J...O..~K...O..L...O..K...O..J.K.O..~N...O..rN...O...N.y.O...J...O...O...O.......O...M...O.Rich..O.........................PE..d...|.wf.........." ...(.&...&......................................................$D....`.............................................|.......P....p....... ..TB...8..........P...p........................ ..(...0...@............@...............................text...P$.......&.................. ..`.rdata.......@.......*..............@..@.data...tA.......*..................@....pdata..TB... ...D..................@..@.rsrc........p.......&..............@..@.reloc..P............(..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\texture_rgba_renderer_plugin.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):323472
                                                                                                                                                                                                                          Entropy (8bit):6.260791393809843
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:xadPqy3/nKyWFZS3PCmxiVvUTiJ+1I2hWHlHTkPXdxs4:wqyAA3PCmwV8i41I2gHlHTkvdW4
                                                                                                                                                                                                                          MD5:128D06B8C5739F35A7C76A76BF1E6149
                                                                                                                                                                                                                          SHA1:901F9698BF4C4A10E8E902E6DBDDF1782E1067D0
                                                                                                                                                                                                                          SHA-256:BF585DBC4E4DCE47F9EFDEEAD15F67A69644CE6F1177CEEC518882DC85ECC096
                                                                                                                                                                                                                          SHA-512:ECE9254486347751D6F68AE86AFB36508FED81B00C4588F555DB584A0E9DE5F4710A24E6BB5B2B19A25BEE20AA4BF90068F9EB2E37B48271614B6C97199E419C
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........x.........................Y...........>w......>w......>w..............<...........u....p.......p.......p......p......Rich............................PE..d...Y.wf.........." ...(.............5....................................... ............`..........................................t......0u..<...............L/..................P...........................(.......@............@..P............................text...0,.......................... ..`.rdata...B...@...D...2..............@..@.data...X6....... ...v..............@....pdata..L/.......0..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\uni_links_desktop_plugin.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):543632
                                                                                                                                                                                                                          Entropy (8bit):6.3781262731970685
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:zqzF5VH24Jy+0PeZOYbxobw+QY0heC9lVNLETyoK:zqh32SRoc+QY0n9lVNLETbK
                                                                                                                                                                                                                          MD5:94267176E212B8EBFF06728CC6C3F432
                                                                                                                                                                                                                          SHA1:F65313083C2B3177F405B7AB884BA0A9BE3251D9
                                                                                                                                                                                                                          SHA-256:08D08CBFA4D5531CEEE16BFCB2255EDA79C5B7F7C0894C4E6F49F673457AB362
                                                                                                                                                                                                                          SHA-512:014459C9D3DBE7C09E0D6DB085CE9F715248BA6D784845339B2D6896A8BA7B680C93E707D4990350E30C8853A95FD0DC6F8E9244643787DB65AB8A2F95C26967
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........W..6..6..6..XF..6..XF...6..XF..6......6......6.......6..XF..6..}J..6..6...6.....6.....6...O.6.....6..Rich.6..........PE..d...~.wf.........." ...(.....4......L.....................................................`.........................................p...........d....p....... ...B...0..........................................(...p...@............0...............................text............................... ..`.rdata.......0......................@..@.data....J.......2..................@....pdata...B... ...D..................@..@.rsrc........p......................@..@.reloc............... ..............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\url_launcher_windows_plugin.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):323472
                                                                                                                                                                                                                          Entropy (8bit):6.24323878406639
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:aK/qrBUA8kikYQQ2sXvNnot1bdNtb1lHSdrkjoE:a8qC5kikpQX1ny1bdv1lHSdYjoE
                                                                                                                                                                                                                          MD5:BFEC2012B6589D4496EA0283E90A5269
                                                                                                                                                                                                                          SHA1:813E3FAD5CFE4A30E20F05080D106811C5544FA3
                                                                                                                                                                                                                          SHA-256:F9406ECAA9C86F2946F8B9D997F0210F1F5EE974BE6548D1DB039014D1B45552
                                                                                                                                                                                                                          SHA-512:396F28EB15ED793DB453CD3B3E9118F4386FE24A75E3F3914E881CCA3ADA8918B98751BDAC51C4A5E897CCA1E700B2A545686463A6B0DD6719EA172682CFB928
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......`&..$Gt.$Gt.$Gt..7w.!Gt..7q.Gt..7p.4Gt...w..Gt...p.*Gt...q.iGt..7u."Gt..;u.'Gt.$Gu.\Gt.7.q.#Gt.7.t.%Gt.7..%Gt.7.v.%Gt.Rich$Gt.........PE..d...^.wf.........." ...(.*................................................... .......7....`.........................................@x..|....x..d...............P...............................................(.......@............@..x............................text...@).......*.................. ..`.rdata...F...@...H..................@..@.data....6....... ...v..............@....pdata..P........0..................@..@.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\window_manager_plugin.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):589712
                                                                                                                                                                                                                          Entropy (8bit):6.371606969587959
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:Qnu0YqCbnvh0xDqjFR0NdzhdkPJZIR0vnrXkcc9VNLqYWTF:Qu0YqInZCD7mZI0vnrPc9VNLqYWB
                                                                                                                                                                                                                          MD5:EAB165F7A1856FC4FC191416A26F20F3
                                                                                                                                                                                                                          SHA1:3E3BAAA9A8AE20680D4B347A3A65E4A388DC0F4D
                                                                                                                                                                                                                          SHA-256:A2C87DFE4D43C7CC8AC44F2AC43BD45EC4F3F6BA87A2C73AE8B55F26286600E9
                                                                                                                                                                                                                          SHA-512:897E0F107BEB1FCC6402183C535F2550E954B379451415E8B40403D0575EFA6E1D1373F9F0B9A0649AB09515259490C7BFB9E9926F76735EE513F68460FB5143
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........:q..T"..T"..T"..W#..T"..Q#W.T"7MW#..T"7MP#..T"7MQ#..T"..P#..T"..U#..T"5.U#..T"..U"T.T".JQ#..T".JT#..T".J."..T".JV#..T"Rich..T"................PE..d.....wf.........." ...(.....P.......8.......................................@............`..........................................\..x...8]....... ..........tF...........0......@...........................(.......@............................................text............................... ..`.rdata..2...........................@..@.data....C.......,...^..............@....pdata..tF.......H..................@..@.rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Users\user\AppData\Roaming\linkinfo\window_size_plugin.dll

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):539536
                                                                                                                                                                                                                          Entropy (8bit):6.374120901700144
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:12288:F2qV/eGvVJVbhqs7MRkPXpaCLz9gS+f/9VNtP8zC:F2q9rVJeMp1Lz9gj/9VNtP8zC
                                                                                                                                                                                                                          MD5:7024D49DF9315B5718F40FCD29A8656F
                                                                                                                                                                                                                          SHA1:EF243D1EC09F2FB714459D596F40A87B5B51C054
                                                                                                                                                                                                                          SHA-256:51877E41297AE94FE33D01D980717AE18938A3E81A32C57ADC77D754EF7E66BE
                                                                                                                                                                                                                          SHA-512:D9B7661B923B45020641F80A4695079A86F92848A022C8374C9339258A3F63D628000628CF75163B7C707A8506BB4D4928A1EA75E09FA6416EB9A2150EB5B705
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k....m...m...m..zn...m..zh._.m..zi...m.?.n...m.?.i...m.?.h...m..zl...m.=vl...m...l.}.m..h...m..m...m.....m..o...m.Rich..m.........................PE..d...`.wf.........." ...(.....&......<........................................p.......N....`.........................................P...p.......P....P..........<B... .......`..\...P...........................(.......@............ ...............................text............................... ..`.rdata..,.... ......................@..@.data....B.......*..................@....pdata..<B.......D..................@..@.rsrc........P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Windows\INF\oem4.inf

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7537
                                                                                                                                                                                                                          Entropy (8bit):5.046488463217706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlQd22bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGMdkxzo3DcNSj6jvKFkinuEQTXvzq
                                                                                                                                                                                                                          MD5:50D29CA2E3DDB8A696923420EC2AC4FA
                                                                                                                                                                                                                          SHA1:D85F4E65FE10F13DED1780DDBD074EDFC75F2D25
                                                                                                                                                                                                                          SHA-256:817DFF7F4944A255A0A33B8D74EB60A755D8D268CC7AFD46FCE41E102E0A004B
                                                                                                                                                                                                                          SHA-512:03778A9CDDD23639C88E24BB5D0446DA3A400BB6B3321FB35887CD23D88D0F7AD3FE911642CC7F8D16D29CD9E42106851B0028379E8DBCB3C6721C238FC4A0D3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Windows\INF\setupapi.dev.log

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe
                                                                                                                                                                                                                          File Type:Generic INItialization configuration [BeginLog]
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):58712
                                                                                                                                                                                                                          Entropy (8bit):5.207893762477
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:384:OGdni80C/8g0atRf7yr14ujuNY9AZi3Z/oUtwrP3UQGSE254OkW0/yJLV7s7HqSD:Own95cdyYloiwTyz259lrZc
                                                                                                                                                                                                                          MD5:77D8AC7575FB6A6DDB2415BD3D5AA420
                                                                                                                                                                                                                          SHA1:D92738FE7FE4A152CE56ED426818F244995C77B3
                                                                                                                                                                                                                          SHA-256:B310CAE0FB19BB6AFDE532EECBF082D4C891ED38D3094F1BA60624C8F29836A3
                                                                                                                                                                                                                          SHA-512:85AF331D16247AA35544C91A38269718C77007B34240AA7D373B0F3B7385A63AF07CF19BB89DE4A0F3398C8201244DE2CD213882F9F7963231B54783121C1E71
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:[Device Install Log].. OS Version = 10.0.19045.. Service Pack = 0.0.. Suite = 0x0100.. ProductType = 1.. Architecture = amd64....[BeginLog]....[Boot Session: 2023/10/03 09:57:02.288]....>>> [Setup Import Driver Package - C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf]..>>> Section start 2023/10/03 09:57:37.904.. cmd: C:\Windows\System32\spoolsv.exe.. inf: Provider: Microsoft.. inf: Class GUID: {4D36E979-E325-11CE-BFC1-08002BE10318}.. inf: Driver Version: 06/21/2006,10.0.19041.1806.. inf: Catalog File: prnms009.cat.. ump: Import flags: 0x0000000D.. pol: {Driver package policy check} 09:57:37.920.. pol: {Driver package policy check - exit(0x00000000)} 09:57:37.920.. sto: {Stage Driver Package: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf: {Query Configurability: C:\Windows\system32\spool\tools\Microsoft Print To PDF\prnms009.Inf} 09:57:37.920.. inf:

                                                                                                                                                                                                                          C:\Windows\Logs\NetSetup\service.0.etl

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):524288
                                                                                                                                                                                                                          Entropy (8bit):0.4239472938212855
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:mL/zm8DmT1xMS92sICkjd0x5AUko5HOLboAcKYzFlgbmraBW:mL/ZM7mjhRoZO/oAPG
                                                                                                                                                                                                                          MD5:32FBD60F5B6AD23BAAEADA7A46136825
                                                                                                                                                                                                                          SHA1:AA21B871D6AB2C3673AA5DD28060CAA0C7E73A85
                                                                                                                                                                                                                          SHA-256:55446E20C63B052C25B959DA5B0BB81FB45ADF77E34621AD3F8C3F3E989C30B9
                                                                                                                                                                                                                          SHA-512:CD2299622A20A043CEF5460291949C9ACFDD647159EBC5BCC12F66130035BC51E3B71791F8B1FB6554D063351092561018B64698C2A73C6AF7537C91E2BBF870
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:....8...8...........................................!....................................?......................eJ.......C.cp...Zb..................................................@.t.z.r.e.s...d.l.l.,.-.2.6.2.......................................................@.t.z.r.e.s...d.l.l.,.-.2.6.1...........................................................@K5..............?..............N.e.t.C.f.g.T.r.a.c.e...C.:.\.W.i.n.d.o.w.s.\.L.o.g.s.\.N.e.t.S.e.t.u.p.\.s.e.r.v.i.c.e...0...e.t.l.........P.P..........?..................................................................8.B..?......19041.1.amd64fre.vb_release.191206-1406.....7.@..?.......I.[.8+m.!N8$......NetSetupEngine.pdb......4.@..?.........>*.....Nr8..a....NetSetupApi.pdb.db......4.@..?.........E_iC...F........NetSetupSvc.pdb.........4.@..?.........E_iC...F........NetSetupSvc.pdb.............................................................................................................................................................

                                                                                                                                                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):55
                                                                                                                                                                                                                          Entropy (8bit):4.306461250274409
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:YDQRWu83XfAw2fHbY:YMRl83Xt2f7Y
                                                                                                                                                                                                                          MD5:DCA83F08D448911A14C22EBCACC5AD57
                                                                                                                                                                                                                          SHA1:91270525521B7FE0D986DB19747F47D34B6318AD
                                                                                                                                                                                                                          SHA-256:2B4B2D4A06044AD0BD2AE3287CFCBECD90B959FEB2F503AC258D7C0A235D6FE9
                                                                                                                                                                                                                          SHA-512:96F3A02DC4AE302A30A376FC7082002065C7A35ECB74573DE66254EFD701E8FD9E9D867A2C8ABEB4C482738291B715D4965A0D2412663FDF1EE6CBC0BA9FBACA
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:{"fontSetUri":"fontset-2017-04.json","baseUri":"fonts"}

                                                                                                                                                                                                                          C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\SETFB65.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7537
                                                                                                                                                                                                                          Entropy (8bit):5.046488463217706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlQd22bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGMdkxzo3DcNSj6jvKFkinuEQTXvzq
                                                                                                                                                                                                                          MD5:50D29CA2E3DDB8A696923420EC2AC4FA
                                                                                                                                                                                                                          SHA1:D85F4E65FE10F13DED1780DDBD074EDFC75F2D25
                                                                                                                                                                                                                          SHA-256:817DFF7F4944A255A0A33B8D74EB60A755D8D268CC7AFD46FCE41E102E0A004B
                                                                                                                                                                                                                          SHA-512:03778A9CDDD23639C88E24BB5D0446DA3A400BB6B3321FB35887CD23D88D0F7AD3FE911642CC7F8D16D29CD9E42106851B0028379E8DBCB3C6721C238FC4A0D3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\SETFBC3.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10711
                                                                                                                                                                                                                          Entropy (8bit):7.2254581318251425
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:PqDhDNF748XJCO39JnxrEwJqKkhYCxXA6qnaj/rHr:OXPJxXxkh3xXhlzX
                                                                                                                                                                                                                          MD5:225E7BA0E5E2D46813E5C858A4D0D5B0
                                                                                                                                                                                                                          SHA1:5DD49014764F634164520583FD0CEC87AB1A1625
                                                                                                                                                                                                                          SHA-256:B0BAF5CB84FA4ACB34B77A6231052061DA6B8676D216833724B7A602622161FB
                                                                                                                                                                                                                          SHA-512:9C77ADF7E71ACA94489DFEB536F796A017B7C05771962274BAE2C614E2AE6799CCEB36CC58AC470184C37F52DEAC75988BB14E6A329F432C6D7CEDBCA18272A8
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0.)...*.H........).0.)....1.0...`.H.e......0..M..+.....7.....>0..:0...+.....7..........dG.'$....g..191023085812Z0...+.....7.....0..T0.... .}..ID.U..;.t.`.U..h.z.F.......K1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .}..ID.U..;.t.`.U..h.z.F.......K0....._Ne...=.....N.._-%1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0.....D.......L..S.4..b.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... .?;..{.x....H..4...k).VB.......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .?;..{.x....H..4...k).VB...........0...0....+.

                                                                                                                                                                                                                          C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\SETFBE4.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):39920
                                                                                                                                                                                                                          Entropy (8bit):6.333649052940754
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:bCxLEO/+ApBG35KBOXZZoZmTD11a+uiExMFYQjdJxh63NOe:tCI46F1a+jExMFFjzv69
                                                                                                                                                                                                                          MD5:059E578D456043A8C3B76EC365B375F3
                                                                                                                                                                                                                          SHA1:42189B6A1B8C736397113BFC2283F5E1E1A44E8E
                                                                                                                                                                                                                          SHA-256:A0170CF78105CE757E0549D79E4AE7C412240E8B81D262A24D76A047F181F881
                                                                                                                                                                                                                          SHA-512:99E6B6AF018D0E3509D9DBE00301A7D5D6645A2070A8144ACFF04842F8BBACCD81E7651578D08F47639CD2B7D00EB64ACDDFA8725BCE9A073580B7FCF7964E6A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......].........."......Z.....................@....................................P.....`A....................................................<.......X....p..H....x...#...........R..8............................S...............P...............................text...W>.......@.................. ..h.rdata..|....P.......D..............@..H.data........`.......P..............@....pdata..H....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\oemvista.inf (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                                          File Type:Windows setup INFormation
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):7537
                                                                                                                                                                                                                          Entropy (8bit):5.046488463217706
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:wr8tW9yCTi3K4vlQd22bjR+iAUC7bdP+io3DcNSj6jvKFkinuEQTXvzLd4Z:LWlGMdkxzo3DcNSj6jvKFkinuEQTXvzq
                                                                                                                                                                                                                          MD5:50D29CA2E3DDB8A696923420EC2AC4FA
                                                                                                                                                                                                                          SHA1:D85F4E65FE10F13DED1780DDBD074EDFC75F2D25
                                                                                                                                                                                                                          SHA-256:817DFF7F4944A255A0A33B8D74EB60A755D8D268CC7AFD46FCE41E102E0A004B
                                                                                                                                                                                                                          SHA-512:03778A9CDDD23639C88E24BB5D0446DA3A400BB6B3321FB35887CD23D88D0F7AD3FE911642CC7F8D16D29CD9E42106851B0028379E8DBCB3C6721C238FC4A0D3
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:; ****************************************************************************..; * Copyright (C) 2002-2014 OpenVPN Technologies, Inc. *..; * This program is free software; you can redistribute it and/or modify *..; * it under the terms of the GNU General Public License version 2 *..; * as published by the Free Software Foundation. *..; ****************************************************************************....; SYNTAX CHECKER..; cd \WINDDK\3790\tools\chkinf..; chkinf c:\src\openvpn\tap-win32\i386\oemvista.inf..; OUTPUT -> file:///c:/WINDDK/3790/tools/chkinf/htm/c%23+src+openvpn+tap-win32+i386+__OemWin2k.htm....; INSTALL/REMOVE DRIVER..; tapinstall install OemVista.inf tapoas..; tapinstall update OemVista.inf tapoas..; tapinstall remove tapoas....;*********************************************************..; Note to Developers:..;..; If you are bundling the TAP-Windows driver with your app,..; you should try

                                                                                                                                                                                                                          C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\tap0901.cat (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):10711
                                                                                                                                                                                                                          Entropy (8bit):7.2254581318251425
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:192:PqDhDNF748XJCO39JnxrEwJqKkhYCxXA6qnaj/rHr:OXPJxXxkh3xXhlzX
                                                                                                                                                                                                                          MD5:225E7BA0E5E2D46813E5C858A4D0D5B0
                                                                                                                                                                                                                          SHA1:5DD49014764F634164520583FD0CEC87AB1A1625
                                                                                                                                                                                                                          SHA-256:B0BAF5CB84FA4ACB34B77A6231052061DA6B8676D216833724B7A602622161FB
                                                                                                                                                                                                                          SHA-512:9C77ADF7E71ACA94489DFEB536F796A017B7C05771962274BAE2C614E2AE6799CCEB36CC58AC470184C37F52DEAC75988BB14E6A329F432C6D7CEDBCA18272A8
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:0.)...*.H........).0.)....1.0...`.H.e......0..M..+.....7.....>0..:0...+.....7..........dG.'$....g..191023085812Z0...+.....7.....0..T0.... .}..ID.U..;.t.`.U..h.z.F.......K1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0U..+.....7...1G0E0...+.....7.......010...`.H.e....... .}..ID.U..;.t.`.U..h.z.F.......K0....._Ne...=.....N.._-%1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0<..+.....7...1.0,...F.i.l.e........o.e.m.v.i.s.t.a...i.n.f...0.....D.......L..S.4..b.1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0.... .?;..{.x....H..4...k).VB.......1..0...+.....7...1...04..+.....7...1&0$...O.S.A.t.t.r........2.:.1.0...0...0:..+.....7...1,0*...F.i.l.e........t.a.p.0.9.0.1...s.y.s...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .?;..{.x....H..4...k).VB...........0...0....+.

                                                                                                                                                                                                                          C:\Windows\System32\DriverStore\Temp\{3bd71b09-5ac6-d142-aa36-78b471b9091f}\tap0901.sys (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):39920
                                                                                                                                                                                                                          Entropy (8bit):6.333649052940754
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:bCxLEO/+ApBG35KBOXZZoZmTD11a+uiExMFYQjdJxh63NOe:tCI46F1a+jExMFFjzv69
                                                                                                                                                                                                                          MD5:059E578D456043A8C3B76EC365B375F3
                                                                                                                                                                                                                          SHA1:42189B6A1B8C736397113BFC2283F5E1E1A44E8E
                                                                                                                                                                                                                          SHA-256:A0170CF78105CE757E0549D79E4AE7C412240E8B81D262A24D76A047F181F881
                                                                                                                                                                                                                          SHA-512:99E6B6AF018D0E3509D9DBE00301A7D5D6645A2070A8144ACFF04842F8BBACCD81E7651578D08F47639CD2B7D00EB64ACDDFA8725BCE9A073580B7FCF7964E6A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......].........."......Z.....................@....................................P.....`A....................................................<.......X....p..H....x...#...........R..8............................S...............P...............................text...W>.......@.................. ..h.rdata..|....P.......D..............@..H.data........`.......P..............@....pdata..H....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Windows\System32\catroot2\dberr.txt

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                          Size (bytes):3474
                                                                                                                                                                                                                          Entropy (8bit):5.366534951286808
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:96:QO00eO00erMwUgWUg0B1kE3ZhpJp8ZpkRepk3YpgpND:QO00eO00erMwmkB1kAV
                                                                                                                                                                                                                          MD5:DCB2BAAE42CC7F768AFDEC6A54B867C6
                                                                                                                                                                                                                          SHA1:34296894D7F98E647FDED8AE5B2C6A73F2F0B0CC
                                                                                                                                                                                                                          SHA-256:8203907B9A1EFACAE3E5B744C23516333B23B24B5BF822EB06C4C01B7807AFB8
                                                                                                                                                                                                                          SHA-512:E3367EA226829C4606345D3C1B615CBFD1AB0A157F6CDA1C8A40522FE5F27F081B5AF319BBBB8E05597F941FC697811CD08592DEF06D91729718BB8CD7804B31
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6041 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #6699 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #4398 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2083 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #2459 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: SyncAllDBs Corruption or Schema Change..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #891 encountered JET error -1409..CatalogDB: 08:57:12 03/10/2023: catdbsvc.cpp at line #1307 encountered JET error -1601..CatalogDB: 08:57:12 03/10/2023: SyncDB:: Sync sta

                                                                                                                                                                                                                          C:\Windows\System32\drivers\SET586.tmp

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):39920
                                                                                                                                                                                                                          Entropy (8bit):6.333649052940754
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:bCxLEO/+ApBG35KBOXZZoZmTD11a+uiExMFYQjdJxh63NOe:tCI46F1a+jExMFFjzv69
                                                                                                                                                                                                                          MD5:059E578D456043A8C3B76EC365B375F3
                                                                                                                                                                                                                          SHA1:42189B6A1B8C736397113BFC2283F5E1E1A44E8E
                                                                                                                                                                                                                          SHA-256:A0170CF78105CE757E0549D79E4AE7C412240E8B81D262A24D76A047F181F881
                                                                                                                                                                                                                          SHA-512:99E6B6AF018D0E3509D9DBE00301A7D5D6645A2070A8144ACFF04842F8BBACCD81E7651578D08F47639CD2B7D00EB64ACDDFA8725BCE9A073580B7FCF7964E6A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......].........."......Z.....................@....................................P.....`A....................................................<.......X....p..H....x...#...........R..8............................S...............P...............................text...W>.......@.................. ..h.rdata..|....P.......D..............@..H.data........`.......P..............@....pdata..H....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Windows\System32\drivers\fastestvpndriver.sys

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\xcopy.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):104424
                                                                                                                                                                                                                          Entropy (8bit):6.366713641084616
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:1536:Y79hJ78bsmPOC5lhtb5FGNk4wZO+cWK4orE3HazVvon6BK2s6th:YpL78XPOCN1GeOUKdebIKfS
                                                                                                                                                                                                                          MD5:95FD4F27F82A9E4D6E2A53AF7A9096E6
                                                                                                                                                                                                                          SHA1:5F772C89901841AF1814C858359AC5FEB9BE3C24
                                                                                                                                                                                                                          SHA-256:98CD2F27906E4FD7FA7FBE0EC747BADEF710BCA736A1AC5EE883756F2185818C
                                                                                                                                                                                                                          SHA-512:6B2E2BA90B33F6658C903203317299057C83545D46549D468CDAA1D6F7BCE887310411B9BF6EEA9D19C214A2041BB5E14FD9395CC4E2FE9FC31AB03B88A75019
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......>.d.z...z...z.....~...z.........}.....}...Y@..s....A..{....A..{...Richz...........................PE..d... [.\.........."..........L.................@....................................C.....`.................................................8p..P.......H....`.......R...E..........`#..8............................(..p............ ..`............................text...d........................... ..h.rdata....... ......................@..H.data...@....@.......$..............@....pdata.......`.......,..............@..HINIT.........p.......:.............. ....rsrc...H............J..............@..B.reloc...............P..............@..B................................................................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Windows\System32\drivers\tap0901.sys (copy)

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                                          File Type:PE32+ executable (native) x86-64, for MS Windows
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):39920
                                                                                                                                                                                                                          Entropy (8bit):6.333649052940754
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:768:bCxLEO/+ApBG35KBOXZZoZmTD11a+uiExMFYQjdJxh63NOe:tCI46F1a+jExMFFjzv69
                                                                                                                                                                                                                          MD5:059E578D456043A8C3B76EC365B375F3
                                                                                                                                                                                                                          SHA1:42189B6A1B8C736397113BFC2283F5E1E1A44E8E
                                                                                                                                                                                                                          SHA-256:A0170CF78105CE757E0549D79E4AE7C412240E8B81D262A24D76A047F181F881
                                                                                                                                                                                                                          SHA-512:99E6B6AF018D0E3509D9DBE00301A7D5D6645A2070A8144ACFF04842F8BBACCD81E7651578D08F47639CD2B7D00EB64ACDDFA8725BCE9A073580B7FCF7964E6A
                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~..[...[...[....w..Z....w..^...[...m....w.._....w..^.../t..Q.../t..Z.../t..Z...Rich[...........................PE..d......].........."......Z.....................@....................................P.....`A....................................................<.......X....p..H....x...#...........R..8............................S...............P...............................text...W>.......@.................. ..h.rdata..|....P.......D..............@..H.data........`.......P..............@....pdata..H....p.......R..............@..HPAGE.................V.............. ..`INIT.................d.............. ..b.rsrc...X............p..............@..B.reloc...............v..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                          C:\Windows\appcompat\Programs\Amcache.hve

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                          File Type:MS Windows registry file, NT/2000 or above
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):1835008
                                                                                                                                                                                                                          Entropy (8bit):4.421842752484483
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:6144:VSvfpi6ceLP/9skLmb0OT7WSPHaJG8nAgeMZMMhA2fX4WABlEnNp0uhiTw:cvloT7W+EZMM6DFyb03w
                                                                                                                                                                                                                          MD5:ED5A3CA0F54D6A10691934F5C7FC84CF
                                                                                                                                                                                                                          SHA1:437B84B2328B917F1C6CB7DBCC649604F65832B5
                                                                                                                                                                                                                          SHA-256:36B15632C364017DFA79BB54414647F07FA48B92D4CCCEFFFBB909CA579D1824
                                                                                                                                                                                                                          SHA-512:7C344DA3BDEAD19DC6E0D4EE25F82AE0EB77015B27DB0BA0025A0F488590F4D9129D72D23638299CD72DE8F2B1EFEFA7B223F6960DE9226AFBCE86F4BD68D354
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:regf>...>....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.3Tdp.................................................................................................................................................................................................................................................................................................................................................CP........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                          \Device\ConDrv

                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                          Process:C:\Program Files\FastestVPN\subinacl.exe
                                                                                                                                                                                                                          File Type:ASCII text
                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                          Size (bytes):133
                                                                                                                                                                                                                          Entropy (8bit):4.004784065185313
                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                          SSDEEP:3:E8Hu/FvfVFcLaNKB4z/F/eAFFXx26LX/FFVbQAtbR91q:E2u/F8La3FGgy6L1bVDq
                                                                                                                                                                                                                          MD5:CE8AE87D7F83FA032F2A60AB0B8F0FE4
                                                                                                                                                                                                                          SHA1:203E8416D17D3A9E03509009A8F20F94C51C0381
                                                                                                                                                                                                                          SHA-256:F3617B3A17F48864D33A4C32D4F9AE862B23E07F35504C8D4DBE79AC589D395D
                                                                                                                                                                                                                          SHA-512:091E97EA19CCF4D6870F8EA861DCCC0F87E4928AC39C64A2AA1085C94EAE5F6707919A18FB3A56EE94F7483950F34128E7E8D321129F810C0847F3493F269682
                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                          Preview:.Elapsed Time: 00 00:00:00.Done: 1, Modified 1, Failed 0, Syntax errors 0.Last Done : FastestVPNService.

                                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                          Entropy (8bit):7.993161668226584
                                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 98.45%
                                                                                                                                                                                                                          • Inno Setup installer (109748/4) 1.08%
                                                                                                                                                                                                                          • Win32 EXE PECompact compressed (generic) (41571/9) 0.41%
                                                                                                                                                                                                                          • Win16/32 Executable Delphi generic (2074/23) 0.02%
                                                                                                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                                                          File name:PVUfopbGfc.exe
                                                                                                                                                                                                                          File size:21'250'384 bytes
                                                                                                                                                                                                                          MD5:249ed615e8b43896fffd3cb3755c7a0a
                                                                                                                                                                                                                          SHA1:1b28a72f6746ad76f7b25ab767ce7b775282fbeb
                                                                                                                                                                                                                          SHA256:402aacbb8dc07d96733eee2292f709d89d65efbe82d55e0dd4b7764cdde287b5
                                                                                                                                                                                                                          SHA512:6a08ab47a7bc99175b547bf74715f9ff95de4c4517cb734c7f1e0588de77edb2220bb229e4f253accdfe89a7ca13a956a7188feeb5f01d5587baee85da1cbbd7
                                                                                                                                                                                                                          SSDEEP:393216:B6EKDC4ast7NVuy0G/ZDJG4x6gm+T8fIXno94qqgQYpS9R0W/LVuq1Z:kEKDCFe7MQJG4sgm+Tdoq6QY09Cu
                                                                                                                                                                                                                          TLSH:31273323B2C7E03EF1592B7245B3906864F76E51A522BD538AF4A46CCF354621E3F70A
                                                                                                                                                                                                                          File Content Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

                                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                                          Icon Hash:701e0760791c0641

                                                                                                                                                                                                                          Static PE Info

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Entrypoint:0x4a83bc
                                                                                                                                                                                                                          Entrypoint Section:.itext
                                                                                                                                                                                                                          Digitally signed:true
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          Subsystem:windows gui
                                                                                                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                                                                                                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                                                                                                                                                                                                                          Time Stamp:0x666711EF [Mon Jun 10 14:47:11 2024 UTC]
                                                                                                                                                                                                                          TLS Callbacks:
                                                                                                                                                                                                                          CLR (.Net) Version:
                                                                                                                                                                                                                          OS Version Major:6
                                                                                                                                                                                                                          OS Version Minor:1
                                                                                                                                                                                                                          File Version Major:6
                                                                                                                                                                                                                          File Version Minor:1
                                                                                                                                                                                                                          Subsystem Version Major:6
                                                                                                                                                                                                                          Subsystem Version Minor:1
                                                                                                                                                                                                                          Import Hash:40ab50289f7ef5fae60801f88d4541fc

                                                                                                                                                                                                                          Authenticode Signature

                                                                                                                                                                                                                          Signature Valid:true
                                                                                                                                                                                                                          Signature Issuer:CN=SSL.com EV Code Signing Intermediate CA RSA R3, O=SSL Corp, L=Houston, S=Texas, C=US
                                                                                                                                                                                                                          Signature Validation Error:The operation completed successfully
                                                                                                                                                                                                                          Error Number:0
                                                                                                                                                                                                                          Not Before, Not After
                                                                                                                                                                                                                          • 15/01/2024 21:45:41 14/01/2025 21:45:41
                                                                                                                                                                                                                          Subject Chain
                                                                                                                                                                                                                          • OID.1.3.6.1.4.1.311.60.2.1.3=CA, OID.2.5.4.15=Private Organization, CN=Acira Consulting Inc., SERIALNUMBER=987024-5, O=Acira Consulting Inc., L=Mississauga, S=Ontario, C=CA
                                                                                                                                                                                                                          Version:3
                                                                                                                                                                                                                          Thumbprint MD5:4C9BC68042EB932BDCEC05026258C237
                                                                                                                                                                                                                          Thumbprint SHA-1:A70AB688FF0A7C3A22B030FBFFA8B56DC31F650A
                                                                                                                                                                                                                          Thumbprint SHA-256:49EB14C9EFDE16BD0546A80F058C7D10871ADACFD3B550A4F7007080377DA3BA
                                                                                                                                                                                                                          Serial:748A88467D46DF98B5246AFC4F5EEC64

                                                                                                                                                                                                                          Entrypoint Preview

                                                                                                                                                                                                                          Instruction
                                                                                                                                                                                                                          push ebp
                                                                                                                                                                                                                          mov ebp, esp
                                                                                                                                                                                                                          add esp, FFFFFFA4h
                                                                                                                                                                                                                          push ebx
                                                                                                                                                                                                                          push esi
                                                                                                                                                                                                                          push edi
                                                                                                                                                                                                                          xor eax, eax
                                                                                                                                                                                                                          mov dword ptr [ebp-3Ch], eax
                                                                                                                                                                                                                          mov dword ptr [ebp-40h], eax
                                                                                                                                                                                                                          mov dword ptr [ebp-5Ch], eax
                                                                                                                                                                                                                          mov dword ptr [ebp-30h], eax
                                                                                                                                                                                                                          mov dword ptr [ebp-38h], eax
                                                                                                                                                                                                                          mov dword ptr [ebp-34h], eax
                                                                                                                                                                                                                          mov dword ptr [ebp-2Ch], eax
                                                                                                                                                                                                                          mov dword ptr [ebp-28h], eax
                                                                                                                                                                                                                          mov dword ptr [ebp-14h], eax
                                                                                                                                                                                                                          mov eax, 004A2EBCh
                                                                                                                                                                                                                          call 00007F6344A27F25h
                                                                                                                                                                                                                          xor eax, eax
                                                                                                                                                                                                                          push ebp
                                                                                                                                                                                                                          push 004A8AC1h
                                                                                                                                                                                                                          push dword ptr fs:[eax]
                                                                                                                                                                                                                          mov dword ptr fs:[eax], esp
                                                                                                                                                                                                                          xor edx, edx
                                                                                                                                                                                                                          push ebp
                                                                                                                                                                                                                          push 004A8A7Bh
                                                                                                                                                                                                                          push dword ptr fs:[edx]
                                                                                                                                                                                                                          mov dword ptr fs:[edx], esp
                                                                                                                                                                                                                          mov eax, dword ptr [004B0634h]
                                                                                                                                                                                                                          call 00007F6344AB98ABh
                                                                                                                                                                                                                          call 00007F6344AB93FEh
                                                                                                                                                                                                                          lea edx, dword ptr [ebp-14h]
                                                                                                                                                                                                                          xor eax, eax
                                                                                                                                                                                                                          call 00007F6344AB40D8h
                                                                                                                                                                                                                          mov edx, dword ptr [ebp-14h]
                                                                                                                                                                                                                          mov eax, 004B41F4h
                                                                                                                                                                                                                          call 00007F6344A21FD3h
                                                                                                                                                                                                                          push 00000002h
                                                                                                                                                                                                                          push 00000000h
                                                                                                                                                                                                                          push 00000001h
                                                                                                                                                                                                                          mov ecx, dword ptr [004B41F4h]
                                                                                                                                                                                                                          mov dl, 01h
                                                                                                                                                                                                                          mov eax, dword ptr [0049CD14h]
                                                                                                                                                                                                                          call 00007F6344AB5403h
                                                                                                                                                                                                                          mov dword ptr [004B41F8h], eax
                                                                                                                                                                                                                          xor edx, edx
                                                                                                                                                                                                                          push ebp
                                                                                                                                                                                                                          push 004A8A27h
                                                                                                                                                                                                                          push dword ptr fs:[edx]
                                                                                                                                                                                                                          mov dword ptr fs:[edx], esp
                                                                                                                                                                                                                          call 00007F6344AB9933h
                                                                                                                                                                                                                          mov dword ptr [004B4200h], eax
                                                                                                                                                                                                                          mov eax, dword ptr [004B4200h]
                                                                                                                                                                                                                          cmp dword ptr [eax+0Ch], 01h
                                                                                                                                                                                                                          jne 00007F6344AC061Ah
                                                                                                                                                                                                                          mov eax, dword ptr [004B4200h]
                                                                                                                                                                                                                          mov edx, 00000028h
                                                                                                                                                                                                                          call 00007F6344AB5CF8h
                                                                                                                                                                                                                          mov edx, dword ptr [004B4200h]

                                                                                                                                                                                                                          Data Directories

                                                                                                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0xb70000x71.edata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xb50000xfec.idata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xba0000x7088.rsrc
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x1441b000x2650
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0xb90000x18.rdata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0xb52d40x25c.idata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0xb60000x1a4.didata
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                                                          Sections

                                                                                                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                                                          .text0x10000xa568c0xa5800b889d302f6fc48a904de33d8d947ae80False0.3620185045317221data6.377190161826806IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .itext0xa70000x1b640x1c00588dd0a8ab499300d3701cbd11b017d9False0.548828125data6.109264411030635IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .data0xa90000x38380x3a005c0c76e77aef52ebc6702430837ccb6eFalse0.35338092672413796data4.95916338709992IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                          .bss0xad0000x72580x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                          .idata0xb50000xfec0x1000627340dff539ef99048969aa4824fb2dFalse0.380615234375data5.020404933181373IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                          .didata0xb60000x1a40x200fd11c1109737963cc6cb7258063abfd6False0.34765625data2.729290535217263IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                          .edata0xb70000x710x2007de8ca0c7a61668a728fd3a88dc0942dFalse0.1796875data1.305578535725827IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .tls0xb80000x180x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                                                          .rdata0xb90000x5d0x200d84006640084dc9f74a07c2ff9c7d656False0.189453125data1.3892750148744617IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                                                          .rsrc0xba0000x70880x720065ba6bd3dcb2346eab195c2e7d1302ffFalse0.2584635416666667data4.423029369973584IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                                                          Resources

                                                                                                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                                                          RT_ICON0xba4980x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3980496453900709
                                                                                                                                                                                                                          RT_ICON0xba9000x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.274155722326454
                                                                                                                                                                                                                          RT_ICON0xbb9a80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.16514522821576763
                                                                                                                                                                                                                          RT_STRING0xbdf500x3f8data0.3198818897637795
                                                                                                                                                                                                                          RT_STRING0xbe3480x2dcdata0.36475409836065575
                                                                                                                                                                                                                          RT_STRING0xbe6240x430data0.40578358208955223
                                                                                                                                                                                                                          RT_STRING0xbea540x44cdata0.38636363636363635
                                                                                                                                                                                                                          RT_STRING0xbeea00x2d4data0.39226519337016574
                                                                                                                                                                                                                          RT_STRING0xbf1740xb8data0.6467391304347826
                                                                                                                                                                                                                          RT_STRING0xbf22c0x9cdata0.6410256410256411
                                                                                                                                                                                                                          RT_STRING0xbf2c80x374data0.4230769230769231
                                                                                                                                                                                                                          RT_STRING0xbf63c0x398data0.3358695652173913
                                                                                                                                                                                                                          RT_STRING0xbf9d40x368data0.3795871559633027
                                                                                                                                                                                                                          RT_STRING0xbfd3c0x2a4data0.4275147928994083
                                                                                                                                                                                                                          RT_RCDATA0xbffe00x10data1.5
                                                                                                                                                                                                                          RT_RCDATA0xbfff00x310data0.6173469387755102
                                                                                                                                                                                                                          RT_RCDATA0xc03000x2cdata1.1363636363636365
                                                                                                                                                                                                                          RT_GROUP_ICON0xc032c0x30dataEnglishUnited States0.9166666666666666
                                                                                                                                                                                                                          RT_VERSION0xc035c0x584dataEnglishUnited States0.25
                                                                                                                                                                                                                          RT_MANIFEST0xc08e00x7a8XML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.3377551020408163

                                                                                                                                                                                                                          Imports

                                                                                                                                                                                                                          DLLImport
                                                                                                                                                                                                                          kernel32.dllGetACP, GetExitCodeProcess, CloseHandle, LocalFree, SizeofResource, VirtualProtect, QueryPerformanceFrequency, VirtualFree, GetFullPathNameW, GetProcessHeap, ExitProcess, HeapAlloc, GetCPInfoExW, RtlUnwind, GetCPInfo, GetStdHandle, GetModuleHandleW, FreeLibrary, HeapDestroy, ReadFile, CreateProcessW, GetLastError, GetModuleFileNameW, SetLastError, FindResourceW, CreateThread, CompareStringW, LoadLibraryA, ResetEvent, GetVolumeInformationW, GetVersion, GetDriveTypeW, RaiseException, FormatMessageW, SwitchToThread, GetExitCodeThread, GetCurrentThread, LoadLibraryExW, LockResource, GetCurrentThreadId, UnhandledExceptionFilter, VirtualQuery, VirtualQueryEx, Sleep, EnterCriticalSection, SetFilePointer, LoadResource, SuspendThread, GetTickCount, GetFileSize, GetStartupInfoW, GetFileAttributesW, InitializeCriticalSection, GetSystemWindowsDirectoryW, GetThreadPriority, SetThreadPriority, GetCurrentProcess, VirtualAlloc, GetCommandLineW, GetSystemInfo, LeaveCriticalSection, GetProcAddress, ResumeThread, GetVersionExW, VerifyVersionInfoW, HeapCreate, GetWindowsDirectoryW, LCMapStringW, VerSetConditionMask, GetDiskFreeSpaceW, FindFirstFileW, GetUserDefaultUILanguage, lstrlenW, QueryPerformanceCounter, SetEndOfFile, HeapFree, WideCharToMultiByte, FindClose, MultiByteToWideChar, LoadLibraryW, SetEvent, CreateFileW, GetLocaleInfoW, GetSystemDirectoryW, DeleteFileW, GetLocalTime, GetEnvironmentVariableW, WaitForSingleObject, WriteFile, ExitThread, DeleteCriticalSection, TlsGetValue, GetDateFormatW, SetErrorMode, IsValidLocale, TlsSetValue, CreateDirectoryW, GetSystemDefaultUILanguage, EnumCalendarInfoW, LocalAlloc, GetUserDefaultLangID, RemoveDirectoryW, CreateEventW, SetThreadLocale, GetThreadLocale
                                                                                                                                                                                                                          comctl32.dllInitCommonControls
                                                                                                                                                                                                                          user32.dllCreateWindowExW, TranslateMessage, CharLowerBuffW, CallWindowProcW, CharUpperW, PeekMessageW, GetSystemMetrics, SetWindowLongW, MessageBoxW, DestroyWindow, CharUpperBuffW, CharNextW, MsgWaitForMultipleObjects, LoadStringW, ExitWindowsEx, DispatchMessageW
                                                                                                                                                                                                                          oleaut32.dllSysAllocStringLen, SafeArrayPtrOfIndex, VariantCopy, SafeArrayGetLBound, SafeArrayGetUBound, VariantInit, VariantClear, SysFreeString, SysReAllocStringLen, VariantChangeType, SafeArrayCreate
                                                                                                                                                                                                                          advapi32.dllConvertStringSecurityDescriptorToSecurityDescriptorW, OpenThreadToken, AdjustTokenPrivileges, LookupPrivilegeValueW, RegOpenKeyExW, OpenProcessToken, FreeSid, AllocateAndInitializeSid, EqualSid, RegQueryValueExW, GetTokenInformation, ConvertSidToStringSidW, RegCloseKey

                                                                                                                                                                                                                          Exports

                                                                                                                                                                                                                          NameOrdinalAddress
                                                                                                                                                                                                                          __dbk_fcall_wrapper20x40fc10
                                                                                                                                                                                                                          dbkFCallWrapperAddr10x4b063c

                                                                                                                                                                                                                          Possible Origin

                                                                                                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                                                          EnglishUnited States

                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                          Oct 3, 2024 10:43:50.520870924 CEST5364271162.159.36.2192.168.2.5
                                                                                                                                                                                                                          Oct 3, 2024 10:43:51.008928061 CEST6141553192.168.2.51.1.1.1
                                                                                                                                                                                                                          Oct 3, 2024 10:43:51.016621113 CEST53614151.1.1.1192.168.2.5

                                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                          Oct 3, 2024 10:43:51.008928061 CEST192.168.2.51.1.1.10xa95bStandard query (0)15.164.165.52.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                          Oct 3, 2024 10:43:51.016621113 CEST1.1.1.1192.168.2.50xa95bName error (3)15.164.165.52.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                                                                                                                                                          Oct 3, 2024 10:44:16.491425991 CEST1.1.1.1192.168.2.50x2a06No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                          Oct 3, 2024 10:44:16.491425991 CEST1.1.1.1192.168.2.50x2a06No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                                          Start time:04:43:16
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Users\user\Desktop\PVUfopbGfc.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\Desktop\PVUfopbGfc.exe"
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:21'250'384 bytes
                                                                                                                                                                                                                          MD5 hash:249ED615E8B43896FFFD3CB3755C7A0A
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:1
                                                                                                                                                                                                                          Start time:04:43:17
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\is-M67KL.tmp\PVUfopbGfc.tmp" /SL5="$10438,20382094,735744,C:\Users\user\Desktop\PVUfopbGfc.exe"
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:3'045'888 bytes
                                                                                                                                                                                                                          MD5 hash:259E3EE4646FC251C3513EEF2683479F
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:Borland Delphi
                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000003.3097587058.0000000005370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                          Reputation:low
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                                          Start time:04:43:50
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\FastestVPN\Resources\driver\install_tap.bat""
                                                                                                                                                                                                                          Imagebase:0x7ff67aa60000
                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:6
                                                                                                                                                                                                                          Start time:04:43:50
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:7
                                                                                                                                                                                                                          Start time:04:43:50
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:reg Query "HKLM\Hardware\Description\System\CentralProcessor\0"
                                                                                                                                                                                                                          Imagebase:0x7ff72f970000
                                                                                                                                                                                                                          File size:77'312 bytes
                                                                                                                                                                                                                          MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                                          Start time:04:43:50
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:find /i "x86"
                                                                                                                                                                                                                          Imagebase:0x7ff6647f0000
                                                                                                                                                                                                                          File size:17'920 bytes
                                                                                                                                                                                                                          MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                                          Start time:04:43:51
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c ver
                                                                                                                                                                                                                          Imagebase:0x7ff67aa60000
                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                                          Start time:04:43:51
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:tapinstall.exe remove tap0901
                                                                                                                                                                                                                          Imagebase:0x7ff798c40000
                                                                                                                                                                                                                          File size:507'728 bytes
                                                                                                                                                                                                                          MD5 hash:E313336C82EB265542664CC7A360C5FF
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                                          Start time:04:43:51
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:tapinstall.exe install OemVista.inf tap0901
                                                                                                                                                                                                                          Imagebase:0x7ff798c40000
                                                                                                                                                                                                                          File size:507'728 bytes
                                                                                                                                                                                                                          MD5 hash:E313336C82EB265542664CC7A360C5FF
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:13
                                                                                                                                                                                                                          Start time:04:43:53
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                                                                                                                                                                                                                          Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                                                          Start time:04:43:53
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:DrvInst.exe "4" "0" "C:\Users\user\AppData\Local\Temp\{3de6fe3a-2caa-7342-a3c4-879d3bf6d444}\oemvista.inf" "9" "4d14a44ff" "0000000000000158" "WinSta0\Default" "0000000000000168" "208" "c:\program files\fastestvpn\resources\driver\windows10\amd64"
                                                                                                                                                                                                                          Imagebase:0x7ff791760000
                                                                                                                                                                                                                          File size:337'920 bytes
                                                                                                                                                                                                                          MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:15
                                                                                                                                                                                                                          Start time:04:43:55
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\drvinst.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:DrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem4.inf" "oem4.inf:3beb73aff103cc24:tap0901.ndi:9.24.2.601:tap0901," "4d14a44ff" "0000000000000158"
                                                                                                                                                                                                                          Imagebase:0x7ff791760000
                                                                                                                                                                                                                          File size:337'920 bytes
                                                                                                                                                                                                                          MD5 hash:294990C88B9D1FE0A54A1FA8BF4324D9
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:16
                                                                                                                                                                                                                          Start time:04:43:56
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s NetSetupSvc
                                                                                                                                                                                                                          Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:17
                                                                                                                                                                                                                          Start time:04:43:57
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:"C:\Windows\system32\cmd.exe" /C ""C:\Program Files\FastestVPN\Resources\sp\install_sp.bat""
                                                                                                                                                                                                                          Imagebase:0x7ff67aa60000
                                                                                                                                                                                                                          File size:289'792 bytes
                                                                                                                                                                                                                          MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                                                          Start time:04:43:57
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                                                          Start time:04:43:57
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:sc stop fastestvpndriver
                                                                                                                                                                                                                          Imagebase:0x7ff75ccf0000
                                                                                                                                                                                                                          File size:72'192 bytes
                                                                                                                                                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:20
                                                                                                                                                                                                                          Start time:04:43:57
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:21
                                                                                                                                                                                                                          Start time:04:43:57
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:reg Query "HKLM\Hardware\Description\System\CentralProcessor\0"
                                                                                                                                                                                                                          Imagebase:0x7ff72f970000
                                                                                                                                                                                                                          File size:77'312 bytes
                                                                                                                                                                                                                          MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:22
                                                                                                                                                                                                                          Start time:04:43:57
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:find /i "x86"
                                                                                                                                                                                                                          Imagebase:0x7ff6647f0000
                                                                                                                                                                                                                          File size:17'920 bytes
                                                                                                                                                                                                                          MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:23
                                                                                                                                                                                                                          Start time:04:43:57
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\reg.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:reg QUERY "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion"
                                                                                                                                                                                                                          Imagebase:0x7ff72f970000
                                                                                                                                                                                                                          File size:77'312 bytes
                                                                                                                                                                                                                          MD5 hash:227F63E1D9008B36BDBCC4B397780BE4
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:24
                                                                                                                                                                                                                          Start time:04:43:58
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\find.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:find /i "Windows 7"
                                                                                                                                                                                                                          Imagebase:0x7ff6647f0000
                                                                                                                                                                                                                          File size:17'920 bytes
                                                                                                                                                                                                                          MD5 hash:4BF76A28D31FC73AA9FC970B22D056AF
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:25
                                                                                                                                                                                                                          Start time:04:43:58
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\xcopy.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:xcopy /y driver\windows8\amd64\fastestvpndriver.sys C:\Windows\system32\drivers
                                                                                                                                                                                                                          Imagebase:0x7ff6728d0000
                                                                                                                                                                                                                          File size:50'688 bytes
                                                                                                                                                                                                                          MD5 hash:39FBFD3AF58238C6F9D4D408C9251FF5
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:26
                                                                                                                                                                                                                          Start time:04:43:58
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:release\nfregdrv.exe -u fastestvpndriver
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:61'064 bytes
                                                                                                                                                                                                                          MD5 hash:9333F583E2D32A47276DCEC7C2391FD2
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:27
                                                                                                                                                                                                                          Start time:04:43:59
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Program Files\FastestVPN\Resources\sp\release\nfregdrv.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:release\nfregdrv.exe fastestvpndriver
                                                                                                                                                                                                                          Imagebase:0x400000
                                                                                                                                                                                                                          File size:61'064 bytes
                                                                                                                                                                                                                          MD5 hash:9333F583E2D32A47276DCEC7C2391FD2
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:28
                                                                                                                                                                                                                          Start time:04:43:59
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:"C:\Windows\system32\sc.exe" stop FastestVPNService
                                                                                                                                                                                                                          Imagebase:0x7ff75ccf0000
                                                                                                                                                                                                                          File size:72'192 bytes
                                                                                                                                                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:29
                                                                                                                                                                                                                          Start time:04:43:59
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:30
                                                                                                                                                                                                                          Start time:04:43:59
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe" --uninstall
                                                                                                                                                                                                                          Imagebase:0x680000
                                                                                                                                                                                                                          File size:25'768 bytes
                                                                                                                                                                                                                          MD5 hash:22D4E4267DFE093E5E23C2F3D7741AA4
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:31
                                                                                                                                                                                                                          Start time:04:43:59
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k WerSvcGroup
                                                                                                                                                                                                                          Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:32
                                                                                                                                                                                                                          Start time:04:43:59
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1532 -ip 1532
                                                                                                                                                                                                                          Imagebase:0xf80000
                                                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:33
                                                                                                                                                                                                                          Start time:04:43:59
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Program Files\FastestVPN\FastestVPN.exe" -autorun
                                                                                                                                                                                                                          Imagebase:0xb00000
                                                                                                                                                                                                                          File size:2'059'432 bytes
                                                                                                                                                                                                                          MD5 hash:01CF6EF766C41BB2C99A2CCCDECC69C1
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:34
                                                                                                                                                                                                                          Start time:04:44:00
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 1076
                                                                                                                                                                                                                          Imagebase:0xf80000
                                                                                                                                                                                                                          File size:483'680 bytes
                                                                                                                                                                                                                          MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:35
                                                                                                                                                                                                                          Start time:04:44:01
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                                                                                                                                                                                                                          Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:36
                                                                                                                                                                                                                          Start time:04:44:02
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"powershell" -windowstyle hidden get-wmiobject Win32_ComputerSystemProduct | Select-Object -ExpandProperty UUID
                                                                                                                                                                                                                          Imagebase:0x270000
                                                                                                                                                                                                                          File size:433'152 bytes
                                                                                                                                                                                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:37
                                                                                                                                                                                                                          Start time:04:44:02
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:38
                                                                                                                                                                                                                          Start time:04:44:02
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
                                                                                                                                                                                                                          Imagebase:0x7ff7e52b0000
                                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:40
                                                                                                                                                                                                                          Start time:04:44:45
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:"C:\Windows\system32\sc.exe" delete FastestVPNService
                                                                                                                                                                                                                          Imagebase:0x7ff75ccf0000
                                                                                                                                                                                                                          File size:72'192 bytes
                                                                                                                                                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:41
                                                                                                                                                                                                                          Start time:04:44:45
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:42
                                                                                                                                                                                                                          Start time:04:44:45
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe" --install
                                                                                                                                                                                                                          Imagebase:0x470000
                                                                                                                                                                                                                          File size:25'768 bytes
                                                                                                                                                                                                                          MD5 hash:22D4E4267DFE093E5E23C2F3D7741AA4
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:43
                                                                                                                                                                                                                          Start time:04:44:47
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Program Files\FastestVPN\subinacl.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Program Files\FastestVPN\subinacl.exe" /service FastestVPNService /GRANT=everyone=TO
                                                                                                                                                                                                                          Imagebase:0x1000000
                                                                                                                                                                                                                          File size:301'224 bytes
                                                                                                                                                                                                                          MD5 hash:4798226EE22C513302EE57D3AA94398B
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:44
                                                                                                                                                                                                                          Start time:04:44:47
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:45
                                                                                                                                                                                                                          Start time:04:44:47
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:"C:\Windows\system32\sc.exe" start FastestVPNService
                                                                                                                                                                                                                          Imagebase:0x7ff75ccf0000
                                                                                                                                                                                                                          File size:72'192 bytes
                                                                                                                                                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:46
                                                                                                                                                                                                                          Start time:04:44:47
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:47
                                                                                                                                                                                                                          Start time:04:44:48
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Program Files\FastestVPN\Service\FastestVPN.WindowsService.exe"
                                                                                                                                                                                                                          Imagebase:0x100000
                                                                                                                                                                                                                          File size:25'768 bytes
                                                                                                                                                                                                                          MD5 hash:22D4E4267DFE093E5E23C2F3D7741AA4
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:48
                                                                                                                                                                                                                          Start time:04:44:48
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Program Files\FastestVPN\Resources\ComDebug.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:"C:\Program Files\FastestVPN\Resources\ComDebug.exe"
                                                                                                                                                                                                                          Imagebase:0x7ff6db6b0000
                                                                                                                                                                                                                          File size:256'912 bytes
                                                                                                                                                                                                                          MD5 hash:850A43E323656B86AE665D8B4FD71369
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:50
                                                                                                                                                                                                                          Start time:04:44:50
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                                                          Imagebase:0x1080000
                                                                                                                                                                                                                          File size:82'432 bytes
                                                                                                                                                                                                                          MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:51
                                                                                                                                                                                                                          Start time:04:44:50
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                          Imagebase:0x7ff6d64d0000
                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                          General

                                                                                                                                                                                                                          Target ID:52
                                                                                                                                                                                                                          Start time:04:44:53
                                                                                                                                                                                                                          Start date:03/10/2024
                                                                                                                                                                                                                          Path:C:\Program Files\FastestVPN\FastestVPN.exe
                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                          Commandline:"C:\Program Files\FastestVPN\FastestVPN.exe"
                                                                                                                                                                                                                          Imagebase:0x480000
                                                                                                                                                                                                                          File size:2'059'432 bytes
                                                                                                                                                                                                                          MD5 hash:01CF6EF766C41BB2C99A2CCCDECC69C1
                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:1.6%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                            Signature Coverage:23.8%
                                                                                                                                                                                                                            Total number of Nodes:223
                                                                                                                                                                                                                            Total number of Limit Nodes:4
                                                                                                                                                                                                                            execution_graph 33417 7ff798c7154c 33418 7ff798c71569 GetModuleHandleW 33417->33418 33419 7ff798c715b3 33417->33419 33418->33419 33425 7ff798c71576 33418->33425 33427 7ff798c71340 33419->33427 33421 7ff798c715f5 33424 7ff798c71607 33425->33419 33441 7ff798c716e4 GetModuleHandleExW 33425->33441 33447 7ff798c81c48 EnterCriticalSection 33427->33447 33429 7ff798c7135c 33430 7ff798c71434 14 API calls 33429->33430 33431 7ff798c71365 33430->33431 33432 7ff798c81ca8 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 33431->33432 33433 7ff798c7136d 33432->33433 33433->33421 33434 7ff798c71608 33433->33434 33448 7ff798c81f40 33434->33448 33437 7ff798c71642 33439 7ff798c716e4 3 API calls 33437->33439 33438 7ff798c71631 GetCurrentProcess TerminateProcess 33438->33437 33440 7ff798c71649 ExitProcess 33439->33440 33442 7ff798c71729 33441->33442 33443 7ff798c7170a GetProcAddress 33441->33443 33444 7ff798c71739 33442->33444 33445 7ff798c71733 FreeLibrary 33442->33445 33443->33442 33446 7ff798c71721 33443->33446 33444->33419 33445->33444 33446->33442 33449 7ff798c81f5e 33448->33449 33450 7ff798c71615 33448->33450 33452 7ff798c78634 33449->33452 33450->33437 33450->33438 33455 7ff798c781a8 33452->33455 33456 7ff798c78209 33455->33456 33463 7ff798c78204 try_get_function 33455->33463 33456->33450 33457 7ff798c78238 LoadLibraryExW 33459 7ff798c78259 GetLastError 33457->33459 33457->33463 33458 7ff798c782ec 33458->33456 33460 7ff798c782fa GetProcAddress 33458->33460 33459->33463 33461 7ff798c7830b 33460->33461 33461->33456 33462 7ff798c782d1 FreeLibrary 33462->33463 33463->33456 33463->33457 33463->33458 33463->33462 33464 7ff798c78293 LoadLibraryExW 33463->33464 33464->33463 33465 7ff798c4789c 33488 7ff798c48414 33465->33488 33470 7ff798c47a07 33537 7ff798c48550 7 API calls 2 library calls 33470->33537 33471 7ff798c478d1 __scrt_acquire_startup_lock 33473 7ff798c47a11 33471->33473 33478 7ff798c478ef __scrt_release_startup_lock 33471->33478 33538 7ff798c48550 7 API calls 2 library calls 33473->33538 33475 7ff798c47914 33476 7ff798c47a1c _purecall 33477 7ff798c4799a 33499 7ff798c71234 33477->33499 33478->33475 33478->33477 33534 7ff798c71788 37 API calls __InternalCxxFrameHandler 33478->33534 33481 7ff798c4799f 33505 7ff798c452e0 33481->33505 33485 7ff798c479c3 33485->33476 33536 7ff798c482dc 8 API calls __vcrt_uninitialize 33485->33536 33487 7ff798c479da 33487->33475 33489 7ff798c478a5 33488->33489 33490 7ff798c48437 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 33488->33490 33491 7ff798c48124 33489->33491 33490->33489 33492 7ff798c48146 33491->33492 33539 7ff798c49184 33492->33539 33497 7ff798c478c9 33497->33470 33497->33471 33500 7ff798c71259 33499->33500 33501 7ff798c71244 33499->33501 33500->33481 33501->33500 33600 7ff798c70930 34 API calls Concurrency::details::_Concurrent_queue_iterator_base_v4::~_Concurrent_queue_iterator_base_v4 33501->33600 33503 7ff798c71262 33503->33500 33601 7ff798c70d90 15 API calls 3 library calls 33503->33601 33506 7ff798c4532b 33505->33506 33507 7ff798c45336 CharNextW 33506->33507 33519 7ff798c45330 33506->33519 33507->33519 33508 7ff798c45442 33509 7ff798c4547f CharNextW 33508->33509 33510 7ff798c45455 33508->33510 33513 7ff798c4548b 33508->33513 33509->33513 33637 7ff798c44770 FormatMessageW 33510->33637 33513->33510 33515 7ff798c4551c 33513->33515 33602 7ff798c5676c 33513->33602 33619 7ff798c428b0 33515->33619 33517 7ff798c6f44c 31 API calls 33517->33519 33519->33508 33519->33517 33532 7ff798c6f4f0 33 API calls 33519->33532 33520 7ff798c45577 33523 7ff798c45584 33520->33523 33524 7ff798c455a3 33520->33524 33521 7ff798c455c2 33522 7ff798c455cd GetCurrentProcess OpenProcessToken 33521->33522 33531 7ff798c454e9 33521->33531 33525 7ff798c455ea LookupPrivilegeValueW 33522->33525 33526 7ff798c45648 InitiateSystemShutdownExW 33522->33526 33529 7ff798c44770 68 API calls 33523->33529 33530 7ff798c44770 68 API calls 33524->33530 33527 7ff798c45607 AdjustTokenPrivileges 33525->33527 33528 7ff798c45642 CloseHandle 33525->33528 33526->33531 33527->33528 33528->33526 33529->33531 33530->33531 33643 7ff798c476e0 33531->33643 33532->33519 33534->33477 33535 7ff798c486e4 GetModuleHandleW 33535->33485 33536->33487 33537->33473 33538->33476 33540 7ff798c4918d __vcrt_initialize_winapi_thunks __vcrt_initialize 33539->33540 33553 7ff798c49d08 33540->33553 33544 7ff798c491a4 33546 7ff798c4814b 33544->33546 33560 7ff798c49d6c DeleteCriticalSection 33544->33560 33546->33497 33547 7ff798c74568 33546->33547 33548 7ff798c85814 33547->33548 33549 7ff798c48158 33548->33549 33577 7ff798c79fb0 33548->33577 33588 7ff798c77830 33548->33588 33549->33497 33552 7ff798c491e0 8 API calls 3 library calls 33549->33552 33552->33497 33554 7ff798c49d10 33553->33554 33556 7ff798c49d41 33554->33556 33557 7ff798c49197 33554->33557 33561 7ff798c4a598 33554->33561 33566 7ff798c49d6c DeleteCriticalSection 33556->33566 33557->33546 33559 7ff798c49c9c 8 API calls 3 library calls 33557->33559 33559->33544 33560->33546 33567 7ff798c49fe8 33561->33567 33564 7ff798c4a5d8 33564->33554 33565 7ff798c4a5e3 InitializeCriticalSectionAndSpinCount 33565->33564 33566->33557 33568 7ff798c4a049 33567->33568 33575 7ff798c4a044 try_get_function 33567->33575 33568->33564 33568->33565 33569 7ff798c4a078 LoadLibraryExW 33571 7ff798c4a099 GetLastError 33569->33571 33569->33575 33570 7ff798c4a12c 33570->33568 33572 7ff798c4a13a GetProcAddress 33570->33572 33571->33575 33573 7ff798c4a14b 33572->33573 33573->33568 33574 7ff798c4a111 FreeLibrary 33574->33575 33575->33568 33575->33569 33575->33570 33575->33574 33576 7ff798c4a0d3 LoadLibraryExW 33575->33576 33576->33575 33595 7ff798c81c48 EnterCriticalSection 33577->33595 33579 7ff798c79fc0 33580 7ff798c7ce60 32 API calls 33579->33580 33581 7ff798c79fc9 33580->33581 33582 7ff798c79fd7 33581->33582 33584 7ff798c79db4 34 API calls 33581->33584 33583 7ff798c81ca8 Concurrency::details::SchedulerProxy::DeleteThis LeaveCriticalSection 33582->33583 33585 7ff798c79fe3 33583->33585 33586 7ff798c79fd2 33584->33586 33585->33548 33587 7ff798c79ea4 GetStdHandle GetFileType 33586->33587 33587->33582 33596 7ff798c78924 33588->33596 33590 7ff798c77840 33591 7ff798c7784b 33590->33591 33592 7ff798c77764 _set_errno_from_matherr 14 API calls 33590->33592 33591->33548 33593 7ff798c77854 33592->33593 33593->33591 33594 7ff798c77870 __vcrt_uninitialize_ptd 6 API calls 33593->33594 33594->33591 33597 7ff798c781a8 try_get_function 5 API calls 33596->33597 33598 7ff798c7894c TlsAlloc 33597->33598 33600->33503 33601->33500 33603 7ff798c56779 33602->33603 33606 7ff798c5679d 33602->33606 33604 7ff798c5677e 33603->33604 33603->33606 33652 7ff798c76b7c 14 API calls _set_errno_from_matherr 33604->33652 33607 7ff798c567d7 33606->33607 33608 7ff798c567f6 33606->33608 33654 7ff798c76b7c 14 API calls _set_errno_from_matherr 33607->33654 33656 7ff798c565d8 37 API calls 2 library calls 33608->33656 33609 7ff798c56783 33653 7ff798c769d0 31 API calls _invalid_parameter_noinfo_noreturn 33609->33653 33613 7ff798c567dc 33655 7ff798c769d0 31 API calls _invalid_parameter_noinfo_noreturn 33613->33655 33615 7ff798c5678e 33615->33513 33616 7ff798c567e7 TranslateName 33616->33513 33617 7ff798c6f19c 38 API calls TranslateName 33618 7ff798c56803 33617->33618 33618->33616 33618->33617 33620 7ff798c428e4 33619->33620 33636 7ff798c429cc 33619->33636 33621 7ff798c428ed LoadStringW 33620->33621 33620->33636 33622 7ff798c4290e LoadStringW 33621->33622 33621->33636 33624 7ff798c4292e LoadStringW 33622->33624 33622->33636 33623 7ff798c476e0 __FrameHandler3::UnwindNestedFrames 8 API calls 33625 7ff798c42a2e 33623->33625 33626 7ff798c42951 33624->33626 33624->33636 33625->33520 33625->33521 33625->33531 33657 7ff798c441d0 33626->33657 33629 7ff798c429ba 33633 7ff798c44770 68 API calls 33629->33633 33630 7ff798c429d0 33631 7ff798c429d7 33630->33631 33632 7ff798c429f2 33630->33632 33635 7ff798c44770 68 API calls 33631->33635 33634 7ff798c44770 68 API calls 33632->33634 33633->33636 33634->33636 33635->33636 33636->33623 33638 7ff798c44811 33637->33638 33640 7ff798c447c7 33637->33640 33638->33531 33639 7ff798c4480b LocalFree 33639->33638 33640->33639 33684 7ff798c56c8c 33640->33684 33644 7ff798c476ea 33643->33644 33645 7ff798c4550b 33644->33645 33646 7ff798c47b50 IsProcessorFeaturePresent 33644->33646 33645->33535 33647 7ff798c47b67 33646->33647 33703 7ff798c47e54 RtlCaptureContext RtlLookupFunctionEntry RtlVirtualUnwind 33647->33703 33649 7ff798c47b7a 33704 7ff798c47b18 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 33649->33704 33652->33609 33653->33615 33654->33613 33655->33616 33656->33618 33658 7ff798c44254 33657->33658 33661 7ff798c4425c 33657->33661 33659 7ff798c476e0 __FrameHandler3::UnwindNestedFrames 8 API calls 33658->33659 33660 7ff798c429ab 33659->33660 33660->33629 33660->33630 33660->33636 33661->33658 33662 7ff798c442ac SetupDiClassGuidsFromNameExW 33661->33662 33671 7ff798c442dd 33661->33671 33663 7ff798c442d2 GetLastError 33662->33663 33662->33671 33669 7ff798c442e4 33663->33669 33663->33671 33664 7ff798c44425 33665 7ff798c44464 SetupDiGetClassDevsExW 33664->33665 33667 7ff798c4443e SetupDiCreateDeviceInfoListExW 33664->33667 33673 7ff798c444a9 33665->33673 33666 7ff798c443b8 CharNextW 33666->33671 33667->33673 33668 7ff798c443d6 CharNextW 33668->33671 33669->33658 33672 7ff798c442fd SetupDiDestroyDeviceInfoList 33669->33672 33670 7ff798c44516 SetupDiGetDeviceInfoListDetailW 33670->33669 33674 7ff798c44532 SetupDiEnumDeviceInfo 33670->33674 33671->33664 33671->33666 33671->33668 33671->33669 33672->33658 33673->33669 33673->33670 33675 7ff798c444e8 SetupDiOpenDeviceInfoW 33673->33675 33676 7ff798c44509 33673->33676 33674->33669 33679 7ff798c4456a 33674->33679 33675->33673 33676->33670 33677 7ff798c446ec SetupDiEnumDeviceInfo 33677->33669 33677->33679 33678 7ff798c445a9 CM_Get_Device_ID_ExW 33678->33679 33679->33669 33679->33677 33679->33678 33681 7ff798c44820 SetupDiGetDeviceRegistryPropertyW GetLastError SetupDiGetDeviceRegistryPropertyW 33679->33681 33682 7ff798c450e0 41 API calls 33679->33682 33683 7ff798c44f10 41 API calls TranslateName 33679->33683 33681->33679 33682->33679 33683->33679 33685 7ff798c56cb8 33684->33685 33686 7ff798c56ca3 33684->33686 33685->33686 33688 7ff798c56cbd 33685->33688 33700 7ff798c76b7c 14 API calls _set_errno_from_matherr 33686->33700 33693 7ff798c56b3c 33688->33693 33689 7ff798c56ca8 33701 7ff798c769d0 31 API calls _invalid_parameter_noinfo_noreturn 33689->33701 33692 7ff798c44806 33692->33639 33702 7ff798c56b24 EnterCriticalSection 33693->33702 33695 7ff798c56b59 33696 7ff798c56bfc 64 API calls 33695->33696 33697 7ff798c56b62 33696->33697 33698 7ff798c56b30 LeaveCriticalSection 33697->33698 33699 7ff798c56b6c 33698->33699 33699->33692 33700->33689 33701->33692 33703->33649

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 00007FF798C441D0 Relevance: 18.3, APIs: 12, Instructions: 338COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 0 7ff798c441d0-7ff798c44252 1 7ff798c4425c-7ff798c44280 call 7ff798c47638 0->1 2 7ff798c44254-7ff798c44257 0->2 8 7ff798c44306 1->8 9 7ff798c44286-7ff798c44288 1->9 3 7ff798c4430a-7ff798c44333 call 7ff798c476e0 2->3 8->3 10 7ff798c4428e-7ff798c44298 9->10 11 7ff798c4436f 9->11 12 7ff798c4429e-7ff798c442a6 10->12 13 7ff798c44346 10->13 14 7ff798c44372 11->14 12->13 15 7ff798c442ac-7ff798c442d0 SetupDiClassGuidsFromNameExW 12->15 16 7ff798c44349-7ff798c4434c 13->16 17 7ff798c44378-7ff798c44383 14->17 18 7ff798c442dd-7ff798c442e2 15->18 19 7ff798c442d2-7ff798c442db GetLastError 15->19 16->14 20 7ff798c4434e-7ff798c4435c 16->20 21 7ff798c44389-7ff798c4439f 17->21 22 7ff798c44434-7ff798c44437 17->22 26 7ff798c44334-7ff798c44344 18->26 27 7ff798c442e4 18->27 19->18 24 7ff798c442ea 19->24 20->17 25 7ff798c4435e-7ff798c44363 20->25 23 7ff798c443a0-7ff798c443b6 21->23 28 7ff798c44439-7ff798c4443c 22->28 29 7ff798c44464-7ff798c444a3 SetupDiGetClassDevsExW 22->29 31 7ff798c443b8-7ff798c443c8 CharNextW 23->31 32 7ff798c443cd-7ff798c443d4 23->32 35 7ff798c442ef-7ff798c442fb call 7ff798c47640 24->35 25->17 33 7ff798c44365-7ff798c4436d 25->33 26->16 34 7ff798c442e6 27->34 28->29 36 7ff798c4443e-7ff798c44462 SetupDiCreateDeviceInfoListExW 28->36 30 7ff798c444a9-7ff798c444b5 29->30 30->24 37 7ff798c444bb-7ff798c444c8 30->37 31->32 38 7ff798c443d6-7ff798c443e1 CharNextW 32->38 39 7ff798c443e3-7ff798c443ed call 7ff798c48e50 32->39 33->14 34->24 35->8 46 7ff798c442fd-7ff798c44300 SetupDiDestroyDeviceInfoList 35->46 36->30 42 7ff798c444ca-7ff798c444dd 37->42 43 7ff798c44516-7ff798c4452c SetupDiGetDeviceInfoListDetailW 37->43 44 7ff798c443f2-7ff798c44408 38->44 39->44 47 7ff798c444e2-7ff798c444e6 42->47 43->35 49 7ff798c44532-7ff798c44564 SetupDiEnumDeviceInfo 43->49 50 7ff798c4440a-7ff798c4440d 44->50 51 7ff798c4440f 44->51 46->8 52 7ff798c444e8-7ff798c444f9 SetupDiOpenDeviceInfoW 47->52 53 7ff798c444ff-7ff798c44507 47->53 54 7ff798c4456a 49->54 55 7ff798c44720-7ff798c44725 49->55 50->51 56 7ff798c44415-7ff798c4441f 50->56 51->56 52->53 53->47 57 7ff798c44509-7ff798c44511 53->57 58 7ff798c44570-7ff798c44573 54->58 55->35 56->23 59 7ff798c44425-7ff798c4442f 56->59 57->43 60 7ff798c44579-7ff798c44584 58->60 61 7ff798c446c2-7ff798c446e1 58->61 59->22 62 7ff798c4458a-7ff798c4459f 60->62 63 7ff798c446ec-7ff798c44715 SetupDiEnumDeviceInfo 60->63 61->34 67 7ff798c446e7 61->67 66 7ff798c445a0-7ff798c445a3 62->66 63->58 65 7ff798c4471b 63->65 65->55 66->61 68 7ff798c445a9-7ff798c445d0 CM_Get_Device_ID_ExW 66->68 67->63 69 7ff798c445db-7ff798c445eb 68->69 70 7ff798c445d2-7ff798c445d4 68->70 71 7ff798c445ed-7ff798c445fe call 7ff798c44f10 69->71 72 7ff798c4460f-7ff798c44637 call 7ff798c44820 * 2 69->72 70->69 77 7ff798c446a5-7ff798c446b7 71->77 78 7ff798c44604-7ff798c4460a 71->78 80 7ff798c4463c-7ff798c4464c call 7ff798c450e0 72->80 77->66 81 7ff798c446bd-7ff798c446c0 77->81 78->77 84 7ff798c4464e-7ff798c4465b call 7ff798c450e0 80->84 85 7ff798c4465d 80->85 81->61 81->67 84->85 86 7ff798c44663-7ff798c44666 84->86 85->86 88 7ff798c44668-7ff798c4466f 86->88 89 7ff798c4467f-7ff798c44682 86->89 91 7ff798c44671 call 7ff798c47640 88->91 92 7ff798c44676-7ff798c4467a call 7ff798c47640 88->92 93 7ff798c4469b-7ff798c446a0 89->93 94 7ff798c44684-7ff798c4468b 89->94 91->92 92->89 93->77 97 7ff798c4468d call 7ff798c47640 94->97 98 7ff798c44692-7ff798c44696 call 7ff798c47640 94->98 97->98 98->93
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Setup$Device$Info$CharListNext$ClassEnumErrorLastPropertyRegistry$CreateDestroyDetailDevice_DevsFromGet_GuidsNameOpen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1969824741-0
                                                                                                                                                                                                                            • Opcode ID: 13dcc399ef928ee62f8ede801381d0fdfc620e090082716fb5c5ccbb41840535
                                                                                                                                                                                                                            • Instruction ID: b7098298113efadff5453ac505c4cb2b8197d4a798925fd9aab81a1f8c355f7b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 13dcc399ef928ee62f8ede801381d0fdfc620e090082716fb5c5ccbb41840535
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AEE1A332A09A4295E730AF35E5003AAE3A2FB46B98FD84175DE4D53B98DF3CD481C714
                                                                                                                                                                                                                            Function 00007FF798C452E0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 230shutdownCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 101 7ff798c452e0-7ff798c4532e call 7ff798c48ecc 104 7ff798c45330-7ff798c45334 101->104 105 7ff798c45336-7ff798c4533f CharNextW 101->105 106 7ff798c45342-7ff798c45362 104->106 105->106 107 7ff798c45368-7ff798c4536f 106->107 108 7ff798c4544c-7ff798c45453 106->108 111 7ff798c45371-7ff798c45380 107->111 109 7ff798c45467-7ff798c4547d 108->109 110 7ff798c45455-7ff798c45462 call 7ff798c56a60 108->110 113 7ff798c4548b-7ff798c45499 109->113 114 7ff798c4547f-7ff798c45488 CharNextW 109->114 123 7ff798c454dc-7ff798c454e9 call 7ff798c44770 110->123 115 7ff798c45442-7ff798c45447 111->115 116 7ff798c45386-7ff798c45391 111->116 120 7ff798c454cd-7ff798c454d7 call 7ff798c56a60 113->120 121 7ff798c4549b-7ff798c4549e 113->121 114->113 115->108 118 7ff798c45397-7ff798c4539e 116->118 119 7ff798c4541e-7ff798c45423 116->119 124 7ff798c4540d-7ff798c45412 118->124 125 7ff798c453a0-7ff798c453a7 118->125 119->115 127 7ff798c45425-7ff798c4542d 119->127 120->123 126 7ff798c454a0-7ff798c454ad call 7ff798c5676c 121->126 140 7ff798c454ee-7ff798c4551b call 7ff798c476e0 123->140 124->115 134 7ff798c45414-7ff798c4541c 124->134 131 7ff798c453a9-7ff798c453b1 125->131 132 7ff798c45400-7ff798c45405 125->132 142 7ff798c454af-7ff798c454b2 126->142 143 7ff798c454b4-7ff798c454cb 126->143 127->115 128 7ff798c4542f 127->128 135 7ff798c45434-7ff798c4543c 128->135 131->115 138 7ff798c453b7-7ff798c453bc 131->138 132->115 137 7ff798c45407-7ff798c4540b 132->137 134->135 135->111 135->115 137->135 138->115 141 7ff798c453c2-7ff798c453fe call 7ff798c56a60 call 7ff798c6f44c call 7ff798c6f4f0 call 7ff798c56a60 call 7ff798c6f44c call 7ff798c6f4f0 138->141 141->135 142->143 146 7ff798c4551c-7ff798c45560 call 7ff798c428b0 142->146 143->120 143->126 150 7ff798c45566-7ff798c4556c 146->150 152 7ff798c45668-7ff798c4566a 150->152 153 7ff798c45572-7ff798c45575 150->153 152->140 155 7ff798c45577-7ff798c45582 153->155 156 7ff798c455c2-7ff798c455c7 153->156 159 7ff798c45584-7ff798c4559e call 7ff798c56a60 call 7ff798c44770 155->159 160 7ff798c455a3-7ff798c455bd call 7ff798c56a60 call 7ff798c44770 155->160 156->152 158 7ff798c455cd-7ff798c455e8 GetCurrentProcess OpenProcessToken 156->158 163 7ff798c455ea-7ff798c45605 LookupPrivilegeValueW 158->163 164 7ff798c45648-7ff798c45662 InitiateSystemShutdownExW 158->164 159->140 160->140 169 7ff798c45607-7ff798c4563d AdjustTokenPrivileges 163->169 170 7ff798c45642 CloseHandle 163->170 164->152 169->170 170->164
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharNextProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSystemValue
                                                                                                                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                            • API String ID: 155161866-3733053543
                                                                                                                                                                                                                            • Opcode ID: 690a37cff1ebd05a7ace56d9b70eff1ddf708b3d2d7106c5651630866a9856b2
                                                                                                                                                                                                                            • Instruction ID: 8366ffc8ad29db84283f160822ee5d4f2ac55f2c0a416b73c92c4836ef33474f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 690a37cff1ebd05a7ace56d9b70eff1ddf708b3d2d7106c5651630866a9856b2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FA91C422A0964241EB70AB35E40437AF392FF86B84FD85075EA4E47BD5DF3CE5858724
                                                                                                                                                                                                                            Function 00007FF798C44820 Relevance: 4.6, APIs: 3, Instructions: 78COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetupDiGetDeviceRegistryPropertyW.SETUPAPI(?,?,?,?,?,?,00007FF798C44624), ref: 00007FF798C4487F
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00007FF798C44624), ref: 00007FF798C44894
                                                                                                                                                                                                                            • SetupDiGetDeviceRegistryPropertyW.SETUPAPI(?,?,?,?,?,?,?,?,?,00007FF798C44624), ref: 00007FF798C44906
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DevicePropertyRegistrySetup$ErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2536536880-0
                                                                                                                                                                                                                            • Opcode ID: b08a90b2f0a11205ef17a48f86861e3f30d8e072d4f5542cce9f06ad5cb14e1f
                                                                                                                                                                                                                            • Instruction ID: 0202d0a7ecfbf981f9294545f6250c044c6f97a2300296b2d01bb9700d0dec02
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b08a90b2f0a11205ef17a48f86861e3f30d8e072d4f5542cce9f06ad5cb14e1f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E31E421609B4192EA309F31B44026AE3A6FB8AB90FDC0275EE9D43B95EF3CD040C758
                                                                                                                                                                                                                            Function 00007FF798C4789C Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CurrentTime__scrt_fastfail$CounterFilePerformanceProcessQuerySystemThread__scrt_acquire_startup_lock__scrt_is_managed_app__scrt_release_startup_lock__security_init_cookie__vcrt_initialize
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1566696921-0
                                                                                                                                                                                                                            • Opcode ID: 5dc8b7a00be0a8ea12488835e6aaa7bc2ada64c6aaa8309da5ac7729ad6df155
                                                                                                                                                                                                                            • Instruction ID: fcfe78eaa642ea1e3f547e7f99e41d737815096aa1e4e3de153e8a08c0e3537b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5dc8b7a00be0a8ea12488835e6aaa7bc2ada64c6aaa8309da5ac7729ad6df155
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F414821E0C14782FA74BB7494123B9D293EF57784FC844B5E64E5B3D3EE2CA5858238
                                                                                                                                                                                                                            Function 00007FF798C8716C Relevance: 7.7, APIs: 5, Instructions: 203COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 246 7ff798c8716c-7ff798c8718f 247 7ff798c8742c 246->247 248 7ff798c87195-7ff798c87198 246->248 251 7ff798c8742e-7ff798c87445 247->251 249 7ff798c871ba-7ff798c871e0 248->249 250 7ff798c8719a-7ff798c871b5 call 7ff798c76b5c call 7ff798c76b7c call 7ff798c769d0 248->250 252 7ff798c871eb-7ff798c871f1 249->252 253 7ff798c871e2-7ff798c871e9 249->253 250->251 255 7ff798c871f3-7ff798c871fc call 7ff798c8e524 252->255 256 7ff798c87201-7ff798c87211 call 7ff798c87a4c 252->256 253->250 253->252 255->256 264 7ff798c8731a-7ff798c8732a 256->264 265 7ff798c87217-7ff798c87227 256->265 267 7ff798c8732c-7ff798c87333 264->267 268 7ff798c8737b-7ff798c873a0 WriteFile 264->268 265->264 269 7ff798c8722d-7ff798c87240 call 7ff798c775e8 265->269 272 7ff798c87367-7ff798c87374 call 7ff798c86ce0 267->272 273 7ff798c87335-7ff798c87338 267->273 270 7ff798c873ab 268->270 271 7ff798c873a2-7ff798c873a8 GetLastError 268->271 284 7ff798c87258-7ff798c87274 GetConsoleMode 269->284 285 7ff798c87242-7ff798c87252 269->285 275 7ff798c873ae 270->275 271->270 286 7ff798c87379 272->286 276 7ff798c8733a-7ff798c8733d 273->276 277 7ff798c87353-7ff798c87365 call 7ff798c86f00 273->277 280 7ff798c873b3 275->280 281 7ff798c873b8-7ff798c873c2 276->281 282 7ff798c8733f-7ff798c87351 call 7ff798c86de4 276->282 288 7ff798c8730e-7ff798c87315 277->288 280->281 289 7ff798c87425-7ff798c8742a 281->289 290 7ff798c873c4-7ff798c873c9 281->290 282->288 284->264 287 7ff798c8727a-7ff798c8727d 284->287 285->264 285->284 286->288 293 7ff798c872fc-7ff798c87309 call 7ff798c866e8 287->293 294 7ff798c8727f-7ff798c87286 287->294 288->280 289->251 295 7ff798c873cb-7ff798c873ce 290->295 296 7ff798c873f5-7ff798c87406 290->296 293->288 294->281 299 7ff798c8728c-7ff798c8729c 294->299 302 7ff798c873eb-7ff798c873f0 call 7ff798c76b0c 295->302 303 7ff798c873d0-7ff798c873e0 call 7ff798c76b7c call 7ff798c76b5c 295->303 300 7ff798c8740d-7ff798c8741d call 7ff798c76b7c call 7ff798c76b5c 296->300 301 7ff798c87408-7ff798c8740b 296->301 304 7ff798c8729e 299->304 305 7ff798c872f5-7ff798c872f7 299->305 300->289 301->247 301->300 302->296 303->302 310 7ff798c872a1-7ff798c872b8 call 7ff798c8e604 304->310 305->275 319 7ff798c872ec-7ff798c872f2 GetLastError 310->319 320 7ff798c872ba-7ff798c872c4 310->320 319->305 321 7ff798c872c6-7ff798c872d8 call 7ff798c8e604 320->321 322 7ff798c872e1-7ff798c872e8 320->322 321->319 326 7ff798c872da-7ff798c872df 321->326 322->305 324 7ff798c872ea 322->324 324->310 326->322
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF798C871AD
                                                                                                                                                                                                                            • GetConsoleMode.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B,?,?,?,00007FF798C877D2), ref: 00007FF798C8726C
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B,?,?,?,00007FF798C877D2), ref: 00007FF798C872EC
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ConsoleErrorLastMode_invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2210144848-0
                                                                                                                                                                                                                            • Opcode ID: 5b577d0101186b3dee45c0514d8567f2aff468ee3d1ca196f04eb6bda83befe3
                                                                                                                                                                                                                            • Instruction ID: 23560bae9b23780f00c33d3ca377e8670c51ae02770e78ad79d5bf7eef664b61
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5b577d0101186b3dee45c0514d8567f2aff468ee3d1ca196f04eb6bda83befe3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6381B122A5861295EB70FB74C8446BCE6A0BB46788FC041B6EE0F53791EF3CA445C738
                                                                                                                                                                                                                            Function 00007FF798C428B0 Relevance: 4.6, APIs: 3, Instructions: 94COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: LoadString$FormatFreeLocalMessage
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 725706356-0
                                                                                                                                                                                                                            • Opcode ID: d1c2bf7ba6e30959b680a2a26bbfb6c667ed2b04af53c45da1eed3ab1d55b066
                                                                                                                                                                                                                            • Instruction ID: 49e1eb2597f061e933ca6aac50ab8a11432977bbe0764154e5f84ebb724f3643
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1c2bf7ba6e30959b680a2a26bbfb6c667ed2b04af53c45da1eed3ab1d55b066
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 41419431B0868286E730AB31E4017BBF2A1FB86748FD48175DA4D53B84DF2CE485CB24
                                                                                                                                                                                                                            Function 00007FF798C71608 Relevance: 4.5, APIs: 3, Instructions: 19COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Process$CurrentExitTerminate
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1703294689-0
                                                                                                                                                                                                                            • Opcode ID: 08b53547627d342cef18f15c3e291c34f31992f781596ea9132903bd88c460e4
                                                                                                                                                                                                                            • Instruction ID: 4980226707f1af10d5e50eb51e4ccbd193e93dc17c990ab72fee6f3aa6d8be47
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08b53547627d342cef18f15c3e291c34f31992f781596ea9132903bd88c460e4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 81E04F30B0470282FA747B31AC95279E252BF8A741FD455FDC80E42352DE3EE4488229
                                                                                                                                                                                                                            Function 00007FF798C78634 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 386 7ff798c78634-7ff798c78657 call 7ff798c781a8 388 7ff798c7865c-7ff798c7865f 386->388 389 7ff798c78677-7ff798c78681 388->389 390 7ff798c78661-7ff798c78670 388->390 390->389
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: try_get_function
                                                                                                                                                                                                                            • String ID: AppPolicyGetProcessTerminationMethod
                                                                                                                                                                                                                            • API String ID: 2742660187-2031265017
                                                                                                                                                                                                                            • Opcode ID: 09745aa082c0f9a3d57ff4a42a6b74f56dafb84feddb837b008a725231bf0058
                                                                                                                                                                                                                            • Instruction ID: 05ab98b1351d4831f934c6c0c798152be2d3414273ff89a72d33ca9c34c3b748
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09745aa082c0f9a3d57ff4a42a6b74f56dafb84feddb837b008a725231bf0058
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 46E04F52E0550691FE256BB1A9401B0D214DF4A370FC803F1DA3D0A7D0AE3D9995C368
                                                                                                                                                                                                                            Function 00007FF798C86CE0 Relevance: 3.1, APIs: 2, Instructions: 74fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 391 7ff798c86ce0-7ff798c86d46 call 7ff798c47750 394 7ff798c86d48 391->394 395 7ff798c86db7-7ff798c86de1 call 7ff798c476e0 391->395 397 7ff798c86d4d-7ff798c86d50 394->397 399 7ff798c86d76-7ff798c86d9b WriteFile 397->399 400 7ff798c86d52-7ff798c86d59 397->400 403 7ff798c86d9d-7ff798c86da6 399->403 404 7ff798c86daf-7ff798c86db5 GetLastError 399->404 401 7ff798c86d5b-7ff798c86d61 400->401 402 7ff798c86d64-7ff798c86d74 400->402 401->402 402->397 402->399 403->395 405 7ff798c86da8-7ff798c86dab 403->405 404->395 405->394 406 7ff798c86dad 405->406 406->395
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 442123175-0
                                                                                                                                                                                                                            • Opcode ID: db3742f2bb6f116d389edc3337e853886a6bb6baf124e39b63c995694271e509
                                                                                                                                                                                                                            • Instruction ID: 26cf944694fa7aafa3a60e311c0af748a949300a2f718a8f433c55f38f32b558
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: db3742f2bb6f116d389edc3337e853886a6bb6baf124e39b63c995694271e509
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E31C032618A859ADB20AF35E4446E9F7A1FB5A780FC44072EB4E87B14EF38D455CB24
                                                                                                                                                                                                                            Function 00007FF798C79EA4 Relevance: 3.1, APIs: 2, Instructions: 73COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileHandleType
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3000768030-0
                                                                                                                                                                                                                            • Opcode ID: 2a7858ea0a20d78d229f8241a9e12833e585a3072b3a1a0811a3e501217574ad
                                                                                                                                                                                                                            • Instruction ID: 348b8ca579ec5d5d4369ccd30e03d30ee8f71a3efe264c468dfbfabe611cefbe
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2a7858ea0a20d78d229f8241a9e12833e585a3072b3a1a0811a3e501217574ad
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8314021A18E4691E7749B25C590178F660FB46BA0FE4037AEB6E073E0CF3DE465D358
                                                                                                                                                                                                                            Function 00007FF798C44770 Relevance: 3.1, APIs: 2, Instructions: 51windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 427 7ff798c44770-7ff798c447c5 FormatMessageW 428 7ff798c447c7-7ff798c447c9 427->428 429 7ff798c44811-7ff798c44817 427->429 430 7ff798c4480b LocalFree 428->430 431 7ff798c447cb-7ff798c447ce 428->431 430->429 432 7ff798c447d0 431->432 433 7ff798c447f6-7ff798c44801 call 7ff798c56c8c 431->433 434 7ff798c447d3-7ff798c447d6 432->434 438 7ff798c44806 433->438 436 7ff798c447d8-7ff798c447db 434->436 437 7ff798c447de-7ff798c447f4 434->437 436->437 437->433 437->434 438->430
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF798C410DD), ref: 00007FF798C447B7
                                                                                                                                                                                                                            • LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF798C410DD), ref: 00007FF798C4480B
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FormatFreeLocalMessage
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1427518018-0
                                                                                                                                                                                                                            • Opcode ID: faddade6f339ff3cc93d48928193cad67dc264e1d8a9395bb651df8655175f89
                                                                                                                                                                                                                            • Instruction ID: 8649bc92f64ad6012b2b8d94384c7ae7cc51c96ad05a4b2866db90c705454f57
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: faddade6f339ff3cc93d48928193cad67dc264e1d8a9395bb651df8655175f89
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B118B72A1AB4491DB21DF21E84412DF3B6FF89B80BA58176CA5D43750EF3EC891C314
                                                                                                                                                                                                                            Function 00007FF798C48124 Relevance: 3.0, APIs: 2, Instructions: 23COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: __vcrt_initialize__vcrt_initialize_locks__vcrt_initialize_winapi_thunks__vcrt_uninitialize
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1882725809-0
                                                                                                                                                                                                                            • Opcode ID: 8f237d6502b14b0254a4c674743dae8b4da91eb28c515f3ea25adcbd20d46fa1
                                                                                                                                                                                                                            • Instruction ID: 34abacbfec315f88ba5b03922732f2e6b57ec769ecc48d019e2dd3d4046108eb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f237d6502b14b0254a4c674743dae8b4da91eb28c515f3ea25adcbd20d46fa1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C0E01A00E1D15256FE74367514522B9DA828F1B780FC818FAD99F662C3DE0DB4C9653D
                                                                                                                                                                                                                            Function 00007FF798C77764 Relevance: 2.6, APIs: 2, Instructions: 59COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000000,00007FF798C76B85,?,?,?,?,00007FF798C56CA8,?,?,?,?,?,?,00000000), ref: 00007FF798C77773
                                                                                                                                                                                                                            • SetLastError.KERNEL32(?,?,00000000,00007FF798C76B85,?,?,?,?,00007FF798C56CA8,?,?,?,?,?,?,00000000), ref: 00007FF798C77811
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C789B4: try_get_function.LIBVCRUNTIME ref: 00007FF798C789D6
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$try_get_function
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 762735579-0
                                                                                                                                                                                                                            • Opcode ID: d4d1791d7704cc127bea98e5a03ffeedfc60c8c5dcac260ef9461f8b7b2dea69
                                                                                                                                                                                                                            • Instruction ID: 84b184b48a40f984f664b1555a2559df495076c0abbb65aff4a10e409b14b087
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d4d1791d7704cc127bea98e5a03ffeedfc60c8c5dcac260ef9461f8b7b2dea69
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D721AE20B0A24641FA79B331A94503DE291AF867B0FC04BB4D97F17BD6DE2CB442863C
                                                                                                                                                                                                                            Function 00007FF798C87080 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 77c9f455ae7dbfbf764ac100925fa24616ef860103a1a996772a9699631fd484
                                                                                                                                                                                                                            • Instruction ID: 61e2dce617bfbf405307881219146344841df1f326d9b70222e0c4393121fb0c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77c9f455ae7dbfbf764ac100925fa24616ef860103a1a996772a9699631fd484
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6421E032A0824245E721BF35A88177CF660AF46BA1FD405B9EA1E477D2DF7CE4418738
                                                                                                                                                                                                                            Function 00007FF798C7154C Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HandleModule$AddressFreeLibraryProc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3947729631-0
                                                                                                                                                                                                                            • Opcode ID: 9b5487346ef9f63116b54207664187879175fdd5b6014f44a2d1d5806b6a0d0e
                                                                                                                                                                                                                            • Instruction ID: f9e26049365face0d92059a0c2a43b39558fe1f894b7bb96f4ee12f59b4f4c73
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b5487346ef9f63116b54207664187879175fdd5b6014f44a2d1d5806b6a0d0e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5217932E04B418AEFB5AF74C4402ECB6A0EB45708FC4467AE60D12B85DF78D585CBA4
                                                                                                                                                                                                                            Function 00007FF798C56C8C Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                            • Opcode ID: b1701a4419845fdea9b25c0b889f21a2cfcb31a46c6b6b47c9f4c5ea8d08c04c
                                                                                                                                                                                                                            • Instruction ID: 15642f1b9e256a9560496b642b18e5fc2661d1a7c1d0a96c84c9000eae5b42fe
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b1701a4419845fdea9b25c0b889f21a2cfcb31a46c6b6b47c9f4c5ea8d08c04c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F4F01DB2A04B0198EF11AF70D8014FCB7B4FB15398BD04672EA5C42798EF38D5548664
                                                                                                                                                                                                                            Function 00007FF798C77830 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: __vcrt_uninitialize_ptdtry_get_function
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4056716597-0
                                                                                                                                                                                                                            • Opcode ID: b076e8293cea706eb79524f1c87288ba3ed481fb71afc0357e97a801dbc09688
                                                                                                                                                                                                                            • Instruction ID: 8b19f0380b656f74c099d29a1ba5b08659f4bdeb9d1cd0e65894e1232f137388
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b076e8293cea706eb79524f1c87288ba3ed481fb71afc0357e97a801dbc09688
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DBE0EC10D0D20A91F9757B7198420B8D6C02F27310FE019F5D02FA27D2DE1C7152963D
                                                                                                                                                                                                                            Function 00007FF798C77978 Relevance: 1.3, APIs: 1, Instructions: 36memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • HeapAlloc.KERNEL32(?,?,00000000,00007FF798C777C1,?,?,00000000,00007FF798C76B85,?,?,?,?,00007FF798C56CA8), ref: 00007FF798C779CD
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AllocHeap
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4292702814-0
                                                                                                                                                                                                                            • Opcode ID: 3983c4821dd1e57c8f0338e38868bd111ba754eec4fe96f30a7891404f0fea4d
                                                                                                                                                                                                                            • Instruction ID: f1eac8a02f127c1392d3413bafb8a5760022cc262a8daf3461765e2523842756
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3983c4821dd1e57c8f0338e38868bd111ba754eec4fe96f30a7891404f0fea4d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AFF06200B0A20B40FE74777199513B5E2C49F86780FCC54B5C90F863D1EE1CE891423C

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 00007FF798C4B1FC Relevance: 172.4, APIs: 82, Strings: 16, Instructions: 883COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+$Name::doPchar$Name::operator+=
                                                                                                                                                                                                                            • String ID: [thunk]:$`adjustor{$`local static destructor helper'$`template static data member constructor helper'$`template static data member destructor helper'$`vtordispex{$`vtordisp{$extern "C" $private: $protected: $public: $static $virtual ${flat}${for $}'
                                                                                                                                                                                                                            • API String ID: 2654205828-3103905019
                                                                                                                                                                                                                            • Opcode ID: 344dc4b9ba1a62ce6824673a4e2a2672d5d17c1497d6831b0eb881a8fb7f10fb
                                                                                                                                                                                                                            • Instruction ID: 2635030d9dc2ef5fcede850305973441f7c421d5f3bfd7ca7bb94435be4ce16e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 344dc4b9ba1a62ce6824673a4e2a2672d5d17c1497d6831b0eb881a8fb7f10fb
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F082D472A1868286FB60EB74D4802BDF7A1FB42344FC45076EA4E87699DF7CE584CB14
                                                                                                                                                                                                                            Function 00007FF798C47030 Relevance: 40.5, APIs: 19, Strings: 4, Instructions: 255registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Setup$DeviceDriverInfoInstallParams$BuildCloseEnumListOpen
                                                                                                                                                                                                                            • String ID: DriverDesc$InfPath$InfSection$ProviderName
                                                                                                                                                                                                                            • API String ID: 1704563315-109328823
                                                                                                                                                                                                                            • Opcode ID: 470132caa0e5c2b1524e902dcaad2fd13110990853be0799e79165d4b753c384
                                                                                                                                                                                                                            • Instruction ID: e4392ea1898955a8352ab5f861f7f90d83b0edcc510eea653a686ddd20ca55a3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 470132caa0e5c2b1524e902dcaad2fd13110990853be0799e79165d4b753c384
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C0B1F33260878686EB309F71A4443BAF7A6FB86B88FC45175DA4E02A54EF3CD145DB18
                                                                                                                                                                                                                            Function 00007FF798C8A7C0 Relevance: 24.0, APIs: 9, Strings: 4, Instructions: 1207COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo$memcpy_s$fegetenv
                                                                                                                                                                                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                                                                                                                                                                                            • API String ID: 808467561-2761157908
                                                                                                                                                                                                                            • Opcode ID: 64e267bf78fb629f889f1a9ca02426a2b841f9d57b2607d640a5240c26589488
                                                                                                                                                                                                                            • Instruction ID: f013a17ce6c98273493e3acaa7838562acedf325b0af1df7f145aff1faea4c09
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 64e267bf78fb629f889f1a9ca02426a2b841f9d57b2607d640a5240c26589488
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E1B2F072A582828AE7759E38D540BFDF7A1FB86388FC05175DA0A57B84DF3CA940CB14
                                                                                                                                                                                                                            Function 00007FF798C413E0 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 279COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Setup$ClassFromGuidsName$DestroyDeviceErrorInfoLastList
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1066883911-3916222277
                                                                                                                                                                                                                            • Opcode ID: 95c7f67f37713cc790260966e8adad9794b378fe7e5710a0f5457cdb6cacd70d
                                                                                                                                                                                                                            • Instruction ID: 4557182a1739dd69f767e4b1d6c8f10fe4f19ab92978ac17ef623aaa076e90d1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 95c7f67f37713cc790260966e8adad9794b378fe7e5710a0f5457cdb6cacd70d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66B19421B0864285EB34AB35A4402BAE3A2FB46BA4FD84276DE9D43BD4EF3CD545C714
                                                                                                                                                                                                                            Function 00007FF798C883E4 Relevance: 16.9, APIs: 8, Strings: 1, Instructions: 1132COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: memcpy_s$_invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: s
                                                                                                                                                                                                                            • API String ID: 2880407647-453955339
                                                                                                                                                                                                                            • Opcode ID: 5bbfe94752329b1da8265bf6d51677381658838f21c0a74a2938933cdb4c1ac6
                                                                                                                                                                                                                            • Instruction ID: 8d9d4b9d47134a5c3a2c1fb4c342eba2adfea1ed1380de53bea7f7c648fda123
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5bbfe94752329b1da8265bf6d51677381658838f21c0a74a2938933cdb4c1ac6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 83A2F372A482C28BD7359E39D4406F9F7A5FB85788FD01235DB0A67F94DB38EA408B14
                                                                                                                                                                                                                            Function 00007FF798C434B0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 83libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Library$AddressErrorFreeFullLastLoadNamePathProc
                                                                                                                                                                                                                            • String ID: SetupUninstallOEMInfW$setupapi.dll
                                                                                                                                                                                                                            • API String ID: 3805412813-3713901415
                                                                                                                                                                                                                            • Opcode ID: 07190c82b7a186e3b5898b35f52d877f32724abc198f9c48db99fcc8c26ec65d
                                                                                                                                                                                                                            • Instruction ID: 1e90c7b2c59b53d655137cffc545d7593dbc15944bf4cb8c9bc51d354e6bb8a1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 07190c82b7a186e3b5898b35f52d877f32724abc198f9c48db99fcc8c26ec65d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2131A221A0C68642FB30AB30F85577AE292EFC6744FD441B9D94E43795DF3DE8848728
                                                                                                                                                                                                                            Function 00007FF798C8A070 Relevance: 15.4, APIs: 10, Instructions: 368COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: memcpy_s
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1502251526-0
                                                                                                                                                                                                                            • Opcode ID: ac952aa7c694147f99d3e4b40430f2bf787c9728cbc095bc21ac10cb0df3e7be
                                                                                                                                                                                                                            • Instruction ID: 724f82f9a64849ae2724092fbbdd4e59d0995d8501882349cee45d417b57d49f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ac952aa7c694147f99d3e4b40430f2bf787c9728cbc095bc21ac10cb0df3e7be
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 21E1D172A486828AEB34DF25D404AE9F7A1FB4A788FC05135DA0947B84DB3DE901CB58
                                                                                                                                                                                                                            Function 00007FF798C7E0B0 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 434COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF798C7E0E0
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C76A20: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF798C769CD), ref: 00007FF798C76A29
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C76A20: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF798C769CD), ref: 00007FF798C76A4E
                                                                                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF798C7E305
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo$CurrentFeaturePresentProcessProcessor
                                                                                                                                                                                                                            • String ID: *?
                                                                                                                                                                                                                            • API String ID: 1697365638-2564092906
                                                                                                                                                                                                                            • Opcode ID: 63c62522b583ab65492df3df2897c9d34e58fcc378565526384e87568434e7d9
                                                                                                                                                                                                                            • Instruction ID: 59261232c5c785ff0e273a59f292bfc1fb701be4d33732427a1a6d7d3f6045ed
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 63c62522b583ab65492df3df2897c9d34e58fcc378565526384e87568434e7d9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 23F1F163B1869581EB70EB76A8005AAE7A0FB46FD4FC44576EE5D07B84EF3CD4418328
                                                                                                                                                                                                                            Function 00007FF798C44D80 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 43shutdownCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ProcessToken$AdjustCloseCurrentHandleInitiateLookupOpenPrivilegePrivilegesShutdownSystemValue
                                                                                                                                                                                                                            • String ID: SeShutdownPrivilege
                                                                                                                                                                                                                            • API String ID: 2036077386-3733053543
                                                                                                                                                                                                                            • Opcode ID: f561dac5e6c18281b4010f054e9054ffc8b813bd40337e654f72e59e3645770f
                                                                                                                                                                                                                            • Instruction ID: c54911530f82a4196d8e93c368a5aad5199a83a7eb6107c2d1b20266f6b8c1c1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f561dac5e6c18281b4010f054e9054ffc8b813bd40337e654f72e59e3645770f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6C115E72A18A4292EB60EF31F81566AF7A1FB8A744FC050B5EA8E43A14DF3DD044CB14
                                                                                                                                                                                                                            Function 00007FF798C89BC0 Relevance: 10.7, APIs: 7, Instructions: 246COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: memcpy_s
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1502251526-0
                                                                                                                                                                                                                            • Opcode ID: 367b353356dc7549a3a05ae401a0d7ae4e6ca703a61e1e2289ec1d18ee3772f9
                                                                                                                                                                                                                            • Instruction ID: fa9c2052312c745f2ebd760bd7e94c1b77c3698e782030c5c4b2145b7a0bab4b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 367b353356dc7549a3a05ae401a0d7ae4e6ca703a61e1e2289ec1d18ee3772f9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5CA1B2B2A442C28BD7799F65E440AF9F7A0FB66788FC09135DB8A47B44CB38E944C714
                                                                                                                                                                                                                            Function 00007FF798C84960 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 234COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: GetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C775F7
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: SetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C77695
                                                                                                                                                                                                                            • TranslateName.LIBCMT ref: 00007FF798C849CD
                                                                                                                                                                                                                            • TranslateName.LIBCMT ref: 00007FF798C84A08
                                                                                                                                                                                                                            • GetACP.KERNEL32(?,?,?,00000000,00000092,00007FF798C727F8), ref: 00007FF798C84A4D
                                                                                                                                                                                                                            • IsValidCodePage.KERNEL32(?,?,?,00000000,00000092,00007FF798C727F8), ref: 00007FF798C84A75
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLastNameTranslate$CodePageValid
                                                                                                                                                                                                                            • String ID: utf8
                                                                                                                                                                                                                            • API String ID: 2136749100-905460609
                                                                                                                                                                                                                            • Opcode ID: d9b8ad3760af016a63c72bc9a843d741a47231133edd535d7ed3e9ae3113bd32
                                                                                                                                                                                                                            • Instruction ID: b3d5f9712d3606c9c57d5995bd61c8aefba0fa29b66a12a0cd717e53a97cc68a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d9b8ad3760af016a63c72bc9a843d741a47231133edd535d7ed3e9ae3113bd32
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1391AD32A4879295EB70BF31E4012B9E3A9EB46B84FC481B1DA5D47785EF3CE551C328
                                                                                                                                                                                                                            Function 00007FF798C85478 Relevance: 10.7, APIs: 7, Instructions: 171COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Locale$CodeErrorInfoLastPageValid$DefaultEnumLocalesProcessSystemUser
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3939093798-0
                                                                                                                                                                                                                            • Opcode ID: 698639ebde3256074987202a2cc8b981a0ae2b2705bee52486481ff24fbfc6ce
                                                                                                                                                                                                                            • Instruction ID: b1b665b651f77074bc546c8e3302694667a435beac2503c59a30150eb0054a60
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 698639ebde3256074987202a2cc8b981a0ae2b2705bee52486481ff24fbfc6ce
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 34717A22B08A429AFB60AB70D4506B8E3B1BF46748FC444B6DA0D57795EF7DF445C328
                                                                                                                                                                                                                            Function 00007FF798C76788 Relevance: 9.1, APIs: 6, Instructions: 83COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionFilterUnhandled$CaptureContextDebuggerEntryFunctionLookupPresentUnwindVirtual
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1239891234-0
                                                                                                                                                                                                                            • Opcode ID: 33f4d05915216eab4ab632b90a56ad91ab0ee05a89d810f3c8b53b4161930c69
                                                                                                                                                                                                                            • Instruction ID: 31bfe799d4d63c95dfd5b835bddb0bcccd31fec303931fda56558be7763f5370
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 33f4d05915216eab4ab632b90a56ad91ab0ee05a89d810f3c8b53b4161930c69
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86318132608F8195EB60DF35E8406AEB3A4FB85798FD40175EA8D43B94EF38C145CB14
                                                                                                                                                                                                                            Function 00007FF798C7ECAC Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 119fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Find$File$CloseFirstNext
                                                                                                                                                                                                                            • String ID: .$.
                                                                                                                                                                                                                            • API String ID: 3541575487-3769392785
                                                                                                                                                                                                                            • Opcode ID: 147d8d088a2ab65af6ce8502f9dfb33cdb0b941aabc59c27737b474ffebd2bbe
                                                                                                                                                                                                                            • Instruction ID: 0b0e28567a0c2fad25836fd6b00364cf93b893603c27cf079c10360d4875d6be
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 147d8d088a2ab65af6ce8502f9dfb33cdb0b941aabc59c27737b474ffebd2bbe
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C941E563B1859244EA70BF76A8042BAE391EB92FE4FC58571DE5D077C4EE7CE4418328
                                                                                                                                                                                                                            Function 00007FF798C43630 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 98fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DirectoryFileFindFirstWindows
                                                                                                                                                                                                                            • String ID: \INF\OEM*.INF
                                                                                                                                                                                                                            • API String ID: 1585389207-2728984289
                                                                                                                                                                                                                            • Opcode ID: 96e7f8943384205df238da4809613e295090238b8a99556eaef6c16c72f10844
                                                                                                                                                                                                                            • Instruction ID: 55bc33ce7dbf7b535e8907a9e37270626d148ad94044928db2e1b1208f990a08
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 96e7f8943384205df238da4809613e295090238b8a99556eaef6c16c72f10844
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 44418461B1868285EE30AB34E5507B9E292EF86754FE84175CA4E437D5EF2CE445C328
                                                                                                                                                                                                                            Function 00007FF798C866E8 Relevance: 7.8, APIs: 5, Instructions: 321fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorFileLastWrite$Console
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 786612050-0
                                                                                                                                                                                                                            • Opcode ID: d3beed3413ee1199dba947ae966059d4b9df67c161722cedc9c5d103b3af1309
                                                                                                                                                                                                                            • Instruction ID: 00251c900292aec13692d882de37d5c4d9a3fc2a7888781be36b105bbc0dcc53
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d3beed3413ee1199dba947ae966059d4b9df67c161722cedc9c5d103b3af1309
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92D10022B48A818AE720DB74D5485EDF7B1FB46788B944176DE8E47B89DE38E01AC314
                                                                                                                                                                                                                            Function 00007FF798C78B44 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: InfoLocaletry_get_function
                                                                                                                                                                                                                            • String ID: GetLocaleInfoEx
                                                                                                                                                                                                                            • API String ID: 2200034068-2904428671
                                                                                                                                                                                                                            • Opcode ID: 02750f415f3cd806410832db7a44b855064978a5e13e35f6515160912ac6add6
                                                                                                                                                                                                                            • Instruction ID: 343d004db572afeedce7f3871241992ac2471005ccfbc31868b002cafbf52230
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 02750f415f3cd806410832db7a44b855064978a5e13e35f6515160912ac6add6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3801AD25B08A4282E720AB32B8004AAE661EB86BD0FD840B5DF4D13B65DE3CD5118358
                                                                                                                                                                                                                            Function 00007FF798C896F0 Relevance: 4.8, APIs: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: memcpy_s
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1502251526-0
                                                                                                                                                                                                                            • Opcode ID: 8cea97ad10f18f43ea70dff6f68e6fc975f0f687338f3efd8ca2cf0a0ef5ac24
                                                                                                                                                                                                                            • Instruction ID: 5ec2d72d78133bf99c377868a5e788222b7ec9810cd16fba72e8bd9182957c5b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8cea97ad10f18f43ea70dff6f68e6fc975f0f687338f3efd8ca2cf0a0ef5ac24
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1BC1E472B582868BEB34DF29E08466AF7A1FB95784FC48134DB4E43B44DA3DE805CB44
                                                                                                                                                                                                                            Function 00007FF798C84ED0 Relevance: 4.7, APIs: 3, Instructions: 169COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: GetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C775F7
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: SetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C77695
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32 ref: 00007FF798C84F3C
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C5676C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF798C56789
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32 ref: 00007FF798C84F85
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C5676C: _invalid_parameter_noinfo.LIBCMT ref: 00007FF798C567E2
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32 ref: 00007FF798C85050
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: InfoLocale$ErrorLast_invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3644580040-0
                                                                                                                                                                                                                            • Opcode ID: e8c6a04a7efb30580b1de6acdcde22ad9448435ad199d966b2e32c4fa01e2337
                                                                                                                                                                                                                            • Instruction ID: 62ac24f54025dda69bcf0d7e80fedea85e0fe743314de9806228b62965172623
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e8c6a04a7efb30580b1de6acdcde22ad9448435ad199d966b2e32c4fa01e2337
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5619C72A486428AEB34AF21E540279F3A1FB86B44FC08275DB8E83691DF7DF4518764
                                                                                                                                                                                                                            Function 00007FF798C7BD18 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: gfffffff
                                                                                                                                                                                                                            • API String ID: 3215553584-1523873471
                                                                                                                                                                                                                            • Opcode ID: 9a7811f407a379061f5ff88b26a0f4d0f292d93459f7b1a2d23494d512ae23e6
                                                                                                                                                                                                                            • Instruction ID: 489d494c09474e1076339cd74964eb1a4d5ff8c85e33052c599c4e8de6496ca8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9a7811f407a379061f5ff88b26a0f4d0f292d93459f7b1a2d23494d512ae23e6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 05918866B097C686EF21EB39E4003BDE794AB52BC0F858072DA8D47391DE3DE506C711
                                                                                                                                                                                                                            Function 00007FF798C7C738 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 207COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF798C7C769
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C76A20: IsProcessorFeaturePresent.KERNEL32(?,?,?,?,00007FF798C769CD), ref: 00007FF798C76A29
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C76A20: GetCurrentProcess.KERNEL32(?,?,?,?,00007FF798C769CD), ref: 00007FF798C76A4E
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CurrentFeaturePresentProcessProcessor_invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: -
                                                                                                                                                                                                                            • API String ID: 4036615347-2547889144
                                                                                                                                                                                                                            • Opcode ID: 26c914aef9ac55f9fac2af390a0e01635bd93ea7664d4486faf8e589a2590b3f
                                                                                                                                                                                                                            • Instruction ID: 3015c59bb7c0ab4764a51a56785c0b3db417507898db1b9cabfc4fdb5378f571
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26c914aef9ac55f9fac2af390a0e01635bd93ea7664d4486faf8e589a2590b3f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE81F232A0878686E770AA35A40077AF791FB967E1FD48275EA9E43BD9DF3CD4008714
                                                                                                                                                                                                                            Function 00007FF798C78BC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: try_get_function
                                                                                                                                                                                                                            • String ID: GetSystemTimePreciseAsFileTime
                                                                                                                                                                                                                            • API String ID: 2742660187-595813830
                                                                                                                                                                                                                            • Opcode ID: 1d0520b3f6df9746826bb7b6fcba1e6990199ef5daaa10c23599dce049dd0ac3
                                                                                                                                                                                                                            • Instruction ID: 759b3b3cba233e19475b757c15833719a97096c7fff083b569c27f925462ddaf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1d0520b3f6df9746826bb7b6fcba1e6990199ef5daaa10c23599dce049dd0ac3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FCE04F51E1A80791FA356B71A8101B0D250EF0A744FC404F2CA1D19250EE3DA595C32C
                                                                                                                                                                                                                            Function 00007FF798C922DC Relevance: 3.2, APIs: 2, Instructions: 232COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionRaise_clrfp
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 15204871-0
                                                                                                                                                                                                                            • Opcode ID: 042903b91b322029902fdb30016251db946a203c4db05d47f10b001f22a1f15d
                                                                                                                                                                                                                            • Instruction ID: 07fbb2d602b43261affe589ea8c3aa008ccf0589061bbe010bbee80f63c5f02b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 042903b91b322029902fdb30016251db946a203c4db05d47f10b001f22a1f15d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 62B18073600B848BEB29DF39C48236CB7A0F745B48F9589A1DBAD837A4DB3AD451C714
                                                                                                                                                                                                                            Function 00007FF798C7D9C4 Relevance: 3.0, APIs: 2, Instructions: 49COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,00007FF798C6FA89), ref: 00007FF798C7D9E1
                                                                                                                                                                                                                            • OutputDebugStringW.KERNEL32(?,?,?,00007FF798C6FA89), ref: 00007FF798C7D9F9
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C79448: try_get_function.LIBVCRUNTIME ref: 00007FF798C79468
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C79448: try_get_function.LIBVCRUNTIME ref: 00007FF798C7949A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: try_get_function$DebugDebuggerOutputPresentString
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1427332961-0
                                                                                                                                                                                                                            • Opcode ID: bbf1120ab076d3046cef33f858b518514843c8a031e2da90c53b3bbdb1b0fe59
                                                                                                                                                                                                                            • Instruction ID: 4648bbd1ddac65e1fcb0517f526920751095999c0c382dc8ab2f1d709c395250
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bbf1120ab076d3046cef33f858b518514843c8a031e2da90c53b3bbdb1b0fe59
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F016121A1C64345FA747A71A40117DE160BF87BD0FD884B1EB4E9739ADE2DE4418239
                                                                                                                                                                                                                            Function 00007FF798C81154 Relevance: 1.9, APIs: 1, Instructions: 439COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7eacdffc94747950c49745c0d09deb37aea1570934fc463e3d7f1a4fcb0bc249
                                                                                                                                                                                                                            • Instruction ID: af7ec1db9d36513789dcbacc86ddb7f7712a329bd4e35a4ada689f885b48c319
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7eacdffc94747950c49745c0d09deb37aea1570934fc463e3d7f1a4fcb0bc249
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9902D121E5964741FA71BB31A800679E6D4AF43BA0FD847BADD6E573D1EE3CE4018328
                                                                                                                                                                                                                            Function 00007FF798C82160 Relevance: 1.9, APIs: 1, Instructions: 371COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Info
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1807457897-0
                                                                                                                                                                                                                            • Opcode ID: a52a62605b49c2701fd2b762404e9ca2b9ab70b5d2b1519c35bf967cc62daf9e
                                                                                                                                                                                                                            • Instruction ID: 3b42002461a384ee50ee3f8b8227ea09504024c08193ec862e2addb070a6f8dd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a52a62605b49c2701fd2b762404e9ca2b9ab70b5d2b1519c35bf967cc62daf9e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC129E22A08BC586E761DF3894446FDB3A4FB5A748F859275EF9C43692EF38E184C314
                                                                                                                                                                                                                            Function 00007FF798C82920 Relevance: 1.8, APIs: 1, Instructions: 336COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 7b0c8bb4bbee2fd61489c4fe8592cad2614ac65234f7e1247ddd9bbb79556c05
                                                                                                                                                                                                                            • Instruction ID: 58f607f6148fa227c1d3c2b5079390cd494a8d0814f7f52d119f23e9461c4335
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7b0c8bb4bbee2fd61489c4fe8592cad2614ac65234f7e1247ddd9bbb79556c05
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3E18F32A04B8186E720EB61E4446FEA7A4FB9A784FC14672DF9D53786EF38D245C314
                                                                                                                                                                                                                            Function 00007FF798C7E810 Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 856df5863eccf1104c719aaa65f4f0d1cbd3d57ca5dc9ce7de057cdd0c072f42
                                                                                                                                                                                                                            • Instruction ID: fa7ca732a643c5c046aada53f0a8b28a82a8203c324d2cc68c1c6eff920f74ef
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 856df5863eccf1104c719aaa65f4f0d1cbd3d57ca5dc9ce7de057cdd0c072f42
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C51C422B0869144F730AB76A9405ADFBA4BB42BE4FD48275EE5D57B95CF3CD101C708
                                                                                                                                                                                                                            Function 00007FF798C85120 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: GetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C775F7
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: SetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C77695
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32 ref: 00007FF798C85188
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3736152602-0
                                                                                                                                                                                                                            • Opcode ID: 2daf3a8a6570d13e4a69e0773b16970abee15f26fc3cb4f4b112bd2ae792f481
                                                                                                                                                                                                                            • Instruction ID: 7e70ec52da8cd10bffbc622b1d5108f35b94ddcf9db402eee792762c6646560a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2daf3a8a6570d13e4a69e0773b16970abee15f26fc3cb4f4b112bd2ae792f481
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C831B132B0868686EB74AB31E4413BAF3A1FB46780FC08175DA4E87695DF7CF4108714
                                                                                                                                                                                                                            Function 00007FF798C84D3C Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: GetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C775F7
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: SetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C77695
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF798C8557B,?,00000000,00000092,?,?,00000000,?,00007FF798C727F1), ref: 00007FF798C84DDA
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                                                            • Opcode ID: b310e04edf9a4858b7711b1bc3cd10a3b5863322fdd0602e956277415e6d3450
                                                                                                                                                                                                                            • Instruction ID: cf59a1a179d4559e507ecb135efd72cee15d3ca7982f06bde383e551b88e0302
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b310e04edf9a4858b7711b1bc3cd10a3b5863322fdd0602e956277415e6d3450
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AF110663E186459AEB24AF25D0802BCF7A1FB91FA0FC582B6C619433D4DE78D5D1CB50
                                                                                                                                                                                                                            Function 00007FF798C8534C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: GetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C775F7
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: SetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C77695
                                                                                                                                                                                                                            • GetLocaleInfoW.KERNEL32(?,?,?,00007FF798C850CD), ref: 00007FF798C85383
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$InfoLocale
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3736152602-0
                                                                                                                                                                                                                            • Opcode ID: f0e1e85cb0904cfb13678112b23ba47b692ebdb17e326b7273fc79358d1f6376
                                                                                                                                                                                                                            • Instruction ID: 7e8fbbc052f1e0f7d6fd5cd366d4e3c367c8544d14d8af1623bf520aa1676b72
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f0e1e85cb0904cfb13678112b23ba47b692ebdb17e326b7273fc79358d1f6376
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18110632B5C69682E7746B32904067DE2B1EB42764FD05171EB2E076C4DEF9F881C714
                                                                                                                                                                                                                            Function 00007FF798C84E0C Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: GetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C775F7
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: SetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C77695
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(?,?,?,00007FF798C85537,?,00000000,00000092,?,?,00000000,?,00007FF798C727F1), ref: 00007FF798C84E8A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                                                            • Opcode ID: e95a6f0b37c8df2f7d892436cbea75250c8106ecf43136de523b6d98b723d434
                                                                                                                                                                                                                            • Instruction ID: b5e1f5b7576a05d46ce082061990677f32bb732d328983f8abb0be20b94065cc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e95a6f0b37c8df2f7d892436cbea75250c8106ecf43136de523b6d98b723d434
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3201F562F0828187E7206B25E4807B9F6E1EB42BA4FC58271D268076D4CF6CA8C0C714
                                                                                                                                                                                                                            Function 00007FF798C77A70 Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32(?,?,00000000,00007FF798C78911,?,?,?,?,?,?,?,?,00000000,00007FF798C84244), ref: 00007FF798C77ABF
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2099609381-0
                                                                                                                                                                                                                            • Opcode ID: 0c79f0349c4a0605245a055538df7ef28e0d12ebb44365a436a3ebf26f8b2171
                                                                                                                                                                                                                            • Instruction ID: bdd697601c38c2a37604d8d11875946b69c2f2ec39a72414d5de774e3bdd6b8a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0c79f0349c4a0605245a055538df7ef28e0d12ebb44365a436a3ebf26f8b2171
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CAF06D71B08A4582E714EB25E8401A9F3A5FB9A7C0FC49175EA5D87364DF3CD5508318
                                                                                                                                                                                                                            Function 00007FF798C84CB8 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: GetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C775F7
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C775E8: SetLastError.KERNEL32(?,?,?,00007FF798C87232,?,?,?,?,?,?,?,?,?,?,?,00007FF798C8712B), ref: 00007FF798C77695
                                                                                                                                                                                                                            • EnumSystemLocalesW.KERNEL32 ref: 00007FF798C84CFF
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2417226690-0
                                                                                                                                                                                                                            • Opcode ID: 37355801d101d15e73ed97373d1325733675572864da2e4454ebca36426ced02
                                                                                                                                                                                                                            • Instruction ID: dd66c9efcd9e8bff3013f57803737a25ed962b3a67678c1521a31d711219836d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37355801d101d15e73ed97373d1325733675572864da2e4454ebca36426ced02
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38F05E62A0878595EB60AF75E440369FBE1EB91BA4F8582B2D668432E5DA7884908704
                                                                                                                                                                                                                            Function 00007FF798C77B7C Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2099609381-0
                                                                                                                                                                                                                            • Opcode ID: a3705e45a4f268f33fd337935757e13d22bf4229caecad54140b34f6bcf306e8
                                                                                                                                                                                                                            • Instruction ID: 998f37e968e044805532b7ebd7212802a0911b8a8702aa38331101a749aeafc4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3705e45a4f268f33fd337935757e13d22bf4229caecad54140b34f6bcf306e8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5BE065A0B08A0181EF10EB25EC45235F3A1BB5ABD0FC0A5B2DA1E8B324EF3CD1958314
                                                                                                                                                                                                                            Function 00007FF798C77BF8 Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: EnumLocalesSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2099609381-0
                                                                                                                                                                                                                            • Opcode ID: ae0b7570886a34609fae074dd6b97874d1210b0956683149f338bd6385165f94
                                                                                                                                                                                                                            • Instruction ID: 3480d0895a1c70b39679934a8948070855a2eda02095eaf41ff772ab7ee19fa4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae0b7570886a34609fae074dd6b97874d1210b0956683149f338bd6385165f94
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77E04F20A08A0291EB14A761EC55275E2A1BBAA790FC156B5E90E0B324AF3C92598314
                                                                                                                                                                                                                            Function 00007FF798C656FC Relevance: 1.5, Strings: 1, Instructions: 213COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                            • API String ID: 0-4108050209
                                                                                                                                                                                                                            • Opcode ID: 3298bf67b1f0c2be8d215b1ef692e2ed5dc4bc9733db5a3918195495d45e186b
                                                                                                                                                                                                                            • Instruction ID: fa528db0cdc602910e25412e5a487fd04e77d667d57dce4add2f23fbd8eac3a4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3298bf67b1f0c2be8d215b1ef692e2ed5dc4bc9733db5a3918195495d45e186b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F481F525E1CA0382EA74BA3980482B9E391EF46744FE45171DE8907E99CE2DF843C76D
                                                                                                                                                                                                                            Function 00007FF798C63F10 Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                            • API String ID: 0-4108050209
                                                                                                                                                                                                                            • Opcode ID: e4dced8d68a820e1a1d04cc35ed3aba3688103cc88bf653a2760244175f13c08
                                                                                                                                                                                                                            • Instruction ID: 689fdde5c26a2f64680c94e265beb4381316c5b0f81eee24bdd79103b6f7fedc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e4dced8d68a820e1a1d04cc35ed3aba3688103cc88bf653a2760244175f13c08
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0571F711A0CA5796FA74AA3960003BAF7A2AF43B44FD411B5DD49077DACF2DE8428739
                                                                                                                                                                                                                            Function 00007FF798C659DC Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                            • API String ID: 3215553584-4108050209
                                                                                                                                                                                                                            • Opcode ID: 1601ebb4a085dcb7d739bdd4eed40b615d2130470465d1318d301927c9e7c833
                                                                                                                                                                                                                            • Instruction ID: f5e697004cb150d03d9c2faa016ecf4d1958ee811a3e3ace6c59ef04f5a4636c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1601ebb4a085dcb7d739bdd4eed40b615d2130470465d1318d301927c9e7c833
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6E71E625B18A0346EBB8BE3980485B9E291EF86744FE85171DD4E07699CF2DF843832D
                                                                                                                                                                                                                            Function 00007FF798C65430 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                            • API String ID: 3215553584-4108050209
                                                                                                                                                                                                                            • Opcode ID: d97ce31363821d7e59ff7b95ab789dce6dae42c5463c516f708e9ad5742ae19f
                                                                                                                                                                                                                            • Instruction ID: 90ac02d1fd09c31fa3ebbe2d5efd924f0932bc53e6c21e5709c858d6a9d50453
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d97ce31363821d7e59ff7b95ab789dce6dae42c5463c516f708e9ad5742ae19f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1371C715E1CE4386EA74BA39900C6B9E292EF42744FE45171ED4E076D9CE2DF843872D
                                                                                                                                                                                                                            Function 00007FF798C63C8C Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                            • API String ID: 3215553584-4108050209
                                                                                                                                                                                                                            • Opcode ID: b9c2a45f343b5c87b971f1cf71d6bc23156fee6f057cfd2d8e17317b84542c78
                                                                                                                                                                                                                            • Instruction ID: a662765f195e73bd62d8bd70a6e24bcee5a6c13580ef9a4624f1cd1b5e94ae69
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b9c2a45f343b5c87b971f1cf71d6bc23156fee6f057cfd2d8e17317b84542c78
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2E71A311E2CA8B46FA74AA3950443BAE7919F43B48FD401BDDD49077DACE2DE8428739
                                                                                                                                                                                                                            Function 00007FF798C641AC Relevance: 1.5, Strings: 1, Instructions: 206COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                            • API String ID: 3215553584-4108050209
                                                                                                                                                                                                                            • Opcode ID: 77e714d55eda6aa17527c73dbb794f803213f9d7578e7f16155016f531fb6458
                                                                                                                                                                                                                            • Instruction ID: 85a991b85c6d8be2b1ed19a11e10ce8e35d8be94d691a69180a36a54d250a21e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77e714d55eda6aa17527c73dbb794f803213f9d7578e7f16155016f531fb6458
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3471E611A0CE4756FA78BA3950003BAF791AF83748FE411B1DE490778ACE2DE8469779
                                                                                                                                                                                                                            Function 00007FF798C64698 Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                            • API String ID: 0-4108050209
                                                                                                                                                                                                                            • Opcode ID: 5db9519db1cddfaa4ec0483ba47a9384cbcec5f952c5f7433adf20521fb9aad9
                                                                                                                                                                                                                            • Instruction ID: 8520a3837182fcecfb30897f4191abb6803e75644da840a7131cb518ca1161c9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5db9519db1cddfaa4ec0483ba47a9384cbcec5f952c5f7433adf20521fb9aad9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0F710611E0CE8356FAB86A3950003B9F792AF47754FC411B1DD8857AD9CE2DE846C32D
                                                                                                                                                                                                                            Function 00007FF798C64430 Relevance: 1.4, Strings: 1, Instructions: 196COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                            • API String ID: 3215553584-4108050209
                                                                                                                                                                                                                            • Opcode ID: 90d249107c8bf112e4df0f58921203419683959deed1fc803af336b87ec38021
                                                                                                                                                                                                                            • Instruction ID: 419d8cfddbd84cf30ed9ba04bf67dbdbd5b86a55e9c0fa42b92579c6f24e4d59
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 90d249107c8bf112e4df0f58921203419683959deed1fc803af336b87ec38021
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F6610721A0CE4766FA757A3950003BAF7D29F43748FC411B1ED891769ACE2DE843876D
                                                                                                                                                                                                                            Function 00007FF798C64914 Relevance: 1.4, Strings: 1, Instructions: 196COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: 0
                                                                                                                                                                                                                            • API String ID: 3215553584-4108050209
                                                                                                                                                                                                                            • Opcode ID: 39f1ec5bb102f363b1fb50bc343c603d561d49684c5f7139075a3ba3241001c7
                                                                                                                                                                                                                            • Instruction ID: ff246610a5dba93a120d6c6e2edcd09f24ed55b21bb2361beca379b24e757918
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 39f1ec5bb102f363b1fb50bc343c603d561d49684c5f7139075a3ba3241001c7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29611611A0CE43B6FA786A3950003BAF7929F43748FC851B5DD891769BCE2DE846836D
                                                                                                                                                                                                                            Function 00007FF798C8D168 Relevance: 1.4, APIs: 1, Instructions: 137COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00007FF798C8D20D
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C77978: HeapAlloc.KERNEL32(?,?,00000000,00007FF798C777C1,?,?,00000000,00007FF798C76B85,?,?,?,?,00007FF798C56CA8), ref: 00007FF798C779CD
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C779F8: HeapFree.KERNEL32(?,?,?,00007FF798C832DC,?,?,?,00007FF798C836FF,?,?,00000000,00007FF798C83F44,?,?,?,00007FF798C83E77), ref: 00007FF798C77A0E
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C779F8: GetLastError.KERNEL32(?,?,?,00007FF798C832DC,?,?,?,00007FF798C836FF,?,?,00000000,00007FF798C83F44,?,?,?,00007FF798C83E77), ref: 00007FF798C77A20
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C8C088: _invalid_parameter_noinfo.LIBCMT ref: 00007FF798C8C0B6
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorHeapLast$AllocFree_invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 916656526-0
                                                                                                                                                                                                                            • Opcode ID: a8c4d409b14c72d61a068fc6160b1a8484422114badd442f90a13ec3b4d1bf61
                                                                                                                                                                                                                            • Instruction ID: 0009797626e889ddd2da832a14cfbabdcd0b4833b1da66a7bfe0a1ebbfd343ff
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8c4d409b14c72d61a068fc6160b1a8484422114badd442f90a13ec3b4d1bf61
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D841A221B4924342FA70BA766811B7AE690AF877C1FC45575EF4D47B86EE3CE8018728
                                                                                                                                                                                                                            Function 00007FF798C857E0 Relevance: 1.3, APIs: 1, Instructions: 7memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HeapProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 54951025-0
                                                                                                                                                                                                                            • Opcode ID: ad7aa9be03b136a8b86c241834f3511267ad507e402bf7d5c4e724964e796d7d
                                                                                                                                                                                                                            • Instruction ID: 952bacca6bfc361a7932dee8097aba475702e40624cda7e951f6b219fbd70e8f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ad7aa9be03b136a8b86c241834f3511267ad507e402bf7d5c4e724964e796d7d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 52B09220E07A02C2EB183B22AC86224A2A4BF99700FD480B8C01D46320EE2C20A95724
                                                                                                                                                                                                                            Function 00007FF798C72640 Relevance: .4, Instructions: 355COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLastNameTranslatetry_get_function$CodePageValid_invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3827717455-0
                                                                                                                                                                                                                            • Opcode ID: 3f501d995b418e08b38f9edfabc86e8d3cac6d216730b2c8e5cca3346fb82f23
                                                                                                                                                                                                                            • Instruction ID: 66bd4f1fac86e76606717af8a3517935c4d00581c14787afdcd37bc5e3319f78
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f501d995b418e08b38f9edfabc86e8d3cac6d216730b2c8e5cca3346fb82f23
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7AE1B222A0A68245EB70AB72D4107BAE7A0FF96788FC44076DE8E47795DF3CD541C728
                                                                                                                                                                                                                            Function 00007FF798C84340 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$CurrentFeatureInfoLocalePresentProcessProcessortry_get_function
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 959782435-0
                                                                                                                                                                                                                            • Opcode ID: d56ceefded4baa13521f4f609e87cf593d89bf52db51a349a613b99c63d43d38
                                                                                                                                                                                                                            • Instruction ID: a161cf49f6a8c8479904dff78534a6d36eda73e0077a365467410fa71d0ec012
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d56ceefded4baa13521f4f609e87cf593d89bf52db51a349a613b99c63d43d38
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 89B1D372A0864692EB74AF31D5016B9F3A1FB81B88FC04271EA5D836C9DF3CE541C764
                                                                                                                                                                                                                            Function 00007FF798C64E5C Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c849b448950fe45e02ea9840edd387fd791acb62ee3a335009b810c1d76624ef
                                                                                                                                                                                                                            • Instruction ID: f589f9d2beb0e69501a689aeef122ea2796def0e5f69908d3f2a201c120dd311
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c849b448950fe45e02ea9840edd387fd791acb62ee3a335009b810c1d76624ef
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DC812A25A18A0396FB78BA3990046B9F3A0EF02744FD45176DD4D072D8CF2DE846C36E
                                                                                                                                                                                                                            Function 00007FF798C65150 Relevance: .2, Instructions: 217COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                            • Opcode ID: fda6414e0ca285d7d3c641e812502447004db9316ab5bd4eb360a61517eae451
                                                                                                                                                                                                                            • Instruction ID: dfb5601a4fb0b472a389ec5e64d69a0600b8e674c1abf1526217aa23b2ca8f2d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fda6414e0ca285d7d3c641e812502447004db9316ab5bd4eb360a61517eae451
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 33811815A18A0346EBB8BA3980082B9E790EF43B44FE45172DD4947699CF3DF846C72C
                                                                                                                                                                                                                            Function 00007FF798C64B7C Relevance: .2, Instructions: 217COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                            • Opcode ID: b9fb1412a969e83ffd452d5568cc414aa092d552430bd97b87d94c05d621c441
                                                                                                                                                                                                                            • Instruction ID: 0441d0deb373f32fbe975bf8eeb8dbcf7ea3a59b49b92e312af10c95f61f156d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b9fb1412a969e83ffd452d5568cc414aa092d552430bd97b87d94c05d621c441
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8811525F18A03B6EB79BB3990006B9F291EF42744FC451B6DE4953798CF2DE8468728
                                                                                                                                                                                                                            Function 00007FF798C73F14 Relevance: .1, Instructions: 126COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorFreeHeapLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 485612231-0
                                                                                                                                                                                                                            • Opcode ID: b28074559aeab5e219c3ff33a27b5a6f1737238eeca4a21f3c0611eb71f637c7
                                                                                                                                                                                                                            • Instruction ID: a3c0e44691dd01f33159af1037dfe660740f52d9bdce82fdd570053387e73030
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b28074559aeab5e219c3ff33a27b5a6f1737238eeca4a21f3c0611eb71f637c7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E741E222714A5886EF14DF3AD9141A9F3A1BB49FD4BC99136EE4E97B58DF3CD0428304
                                                                                                                                                                                                                            Function 00007FF798C91B20 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 12c6a83125842657aa20d81587556ef437bc21cebfee6fedb56fe02cecd375e9
                                                                                                                                                                                                                            • Instruction ID: 792da68d40df75b33a844965a470a03d5782161875e1468371d2b117b64f7bbb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 12c6a83125842657aa20d81587556ef437bc21cebfee6fedb56fe02cecd375e9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2FF062B1B182958ADFA49F38E843669B7D0E708380FD084B9D69D8BF14D63C90608F18
                                                                                                                                                                                                                            Function 00007FF798C48738 Relevance: .0, Instructions: 2COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 075bea70bcd4d8cceaabd6cf7978304fe9b2e4df568cf5a1b525f3513ad4298d
                                                                                                                                                                                                                            • Instruction ID: 09e5723dc7480480db72bc26cef7ed794db8d69f3bad38b2724b44dbf38740c6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 075bea70bcd4d8cceaabd6cf7978304fe9b2e4df568cf5a1b525f3513ad4298d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EFA00121908C42E0E665AB21A864020E361FB52354BD404B1E00D514A0EE2DA4408228
                                                                                                                                                                                                                            Function 00007FF798C4E890 Relevance: 82.7, APIs: 44, Strings: 3, Instructions: 459COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+Name::operator+=$Decorator::getName$Name::Name::operator=$Name::doPchar$DimensionSigned$DataDecoratedEncodingStringSymbolType
                                                                                                                                                                                                                            • String ID: `anonymous namespace'$`string'$operator
                                                                                                                                                                                                                            • API String ID: 2020783597-815891235
                                                                                                                                                                                                                            • Opcode ID: aede423d4dabe3da59b1e03a92da396b2b5059be44e77dc81dd73a52e45e54ff
                                                                                                                                                                                                                            • Instruction ID: c44b23c648bccb08b01bcaeb93b9c2c49ffa6dcf4952b158a046945c69c9afca
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aede423d4dabe3da59b1e03a92da396b2b5059be44e77dc81dd73a52e45e54ff
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA229162F18A5688FB20EB70D4901FCE372BB06798FD940B6DA0D57695DF2DE485C328
                                                                                                                                                                                                                            Function 00007FF798C4C6CC Relevance: 73.8, APIs: 17, Strings: 25, Instructions: 277COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator=$Name::operator+Name::operator+=$Decorator::getNameName::Type$DataName::doPchar
                                                                                                                                                                                                                            • String ID: volatile$<unknown>$UNKNOWN$__int128$__int16$__int32$__int64$__int8$__w64 $bool$char$char16_t$char32_t$const$double$float$int$long$long $short$signed $unsigned $void$volatile$wchar_t
                                                                                                                                                                                                                            • API String ID: 1480303775-3737837666
                                                                                                                                                                                                                            • Opcode ID: 5336914cda9eb7d28fc33c9881fb9f0eefb368431fddd4b441b46ed6f18de0a2
                                                                                                                                                                                                                            • Instruction ID: 42e62722762c99776bffe506b963da94af24ad2272532e145f8552e7310ee37b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5336914cda9eb7d28fc33c9881fb9f0eefb368431fddd4b441b46ed6f18de0a2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2D17171E1861295FB30EB74D8802BCE372BB06355FD844B2DA0D56AA4EF7DE584C368
                                                                                                                                                                                                                            Function 00007FF798C503F0 Relevance: 59.7, APIs: 30, Strings: 4, Instructions: 242COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Decorator::get$Name::operator+=$DimensionSigned$Name$Name::operator+$DecoratedName::$DataName::doName::getPcharStringType
                                                                                                                                                                                                                            • String ID: NULL$`generic-class-parameter-$`generic-method-parameter-$`template-type-parameter-
                                                                                                                                                                                                                            • API String ID: 283215372-4167119577
                                                                                                                                                                                                                            • Opcode ID: 7b301788f1c808b6dbcb0f6369f2a7d1d94637bd6059d460935599cb42e21360
                                                                                                                                                                                                                            • Instruction ID: 43de8f4183d71c8aaf656f0b5ca9fc8e701c9feee251177597fdb316c32a53fa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7b301788f1c808b6dbcb0f6369f2a7d1d94637bd6059d460935599cb42e21360
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08B15E62F0C64298FB30EB74C4842FCE362AF53784FD401B6D90D96696DE6DA54AC368
                                                                                                                                                                                                                            Function 00007FF798C4E070 Relevance: 52.9, APIs: 35, Instructions: 365COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+$Decorator::get$DataIndirectNameName::Name::doName::operator+=PcharScopeType
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3173522582-0
                                                                                                                                                                                                                            • Opcode ID: 0f8fc59074820430211e5edccfc92087bcdcd104a7c28eeafd2b21ab4534d517
                                                                                                                                                                                                                            • Instruction ID: db632779e9a38bfc156a653c584cc9253744c456dce57dbfcfd338ba705b2ed4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0f8fc59074820430211e5edccfc92087bcdcd104a7c28eeafd2b21ab4534d517
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84028E76F086829AF720EF74D4801ECF7B2EB06748BC844B5EA0D57A99DE38D554C368
                                                                                                                                                                                                                            Function 00007FF798C46C90 Relevance: 40.5, APIs: 17, Strings: 6, Instructions: 208libraryfileloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetupOpenInfFileW.SETUPAPI(?,?,00000000,00000000,?,00007FF798C43786), ref: 00007FF798C46CD1
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,00000000,00000000,?,00007FF798C43786), ref: 00007FF798C46CE0
                                                                                                                                                                                                                            • SetupFindFirstLineW.SETUPAPI(?,?,00000000,00000000,?,00007FF798C43786), ref: 00007FF798C46D0C
                                                                                                                                                                                                                            • SetupGetStringFieldW.SETUPAPI(?,?,00000000,00000000,?,00007FF798C43786), ref: 00007FF798C46D32
                                                                                                                                                                                                                            • SetupFindFirstLineW.SETUPAPI(?,?,00000000,00000000,?,00007FF798C43786), ref: 00007FF798C46D89
                                                                                                                                                                                                                            • SetupGetStringFieldW.SETUPAPI(?,?,00000000,00000000,?,00007FF798C43786), ref: 00007FF798C46DB3
                                                                                                                                                                                                                            • CLSIDFromString.OLE32(?,?,00000000,00000000,?,00007FF798C43786), ref: 00007FF798C46DC9
                                                                                                                                                                                                                            • SetupDiGetClassDescriptionExW.SETUPAPI(?,?,00000000,00000000,?,00007FF798C43786), ref: 00007FF798C46DF2
                                                                                                                                                                                                                            • LoadLibraryW.KERNEL32(?,?,00000000,00000000,?,00007FF798C43786), ref: 00007FF798C46E3A
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,?,00000000,00000000,?,00007FF798C43786), ref: 00007FF798C46E5E
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00007FF798C46EA1
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 00007FF798C46EAE
                                                                                                                                                                                                                            • SetupFindFirstLineW.SETUPAPI ref: 00007FF798C46F08
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Setup$ErrorFindFirstLastLineString$Field$AddressClassDescriptionFileFromLibraryLoadOpenProc
                                                                                                                                                                                                                            • String ID: ClassGUID$DriverVer$Provider$SetupVerifyInfFile$Version$setupapi.dll
                                                                                                                                                                                                                            • API String ID: 2815445529-1638047923
                                                                                                                                                                                                                            • Opcode ID: ccf9f4b43b9fad1fa27bc109124458a99df6b9793aee5966b8e4b19aae1b4082
                                                                                                                                                                                                                            • Instruction ID: f56deed97e10baadd15b607d6289b24fb37fc8690843617fd3a1c91b17b7dd5d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ccf9f4b43b9fad1fa27bc109124458a99df6b9793aee5966b8e4b19aae1b4082
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D6919321A08A8251F730BB71E8106FAE252FF46B84FD441B1E90E476D9EF3DE585C368
                                                                                                                                                                                                                            Function 00007FF798C792EC Relevance: 36.8, APIs: 10, Strings: 11, Instructions: 57COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C79307
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C79326
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C781A8: GetProcAddress.KERNEL32(?,?,00000006,00007FF798C78A2A,?,?,00000000,00007FF798C777AE,?,?,00000000,00007FF798C76B85), ref: 00007FF798C78300
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C79345
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C781A8: LoadLibraryExW.KERNELBASE(?,?,00000006,00007FF798C78A2A,?,?,00000000,00007FF798C777AE,?,?,00000000,00007FF798C76B85), ref: 00007FF798C7824B
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C781A8: GetLastError.KERNEL32(?,?,00000006,00007FF798C78A2A,?,?,00000000,00007FF798C777AE,?,?,00000000,00007FF798C76B85), ref: 00007FF798C78259
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C781A8: LoadLibraryExW.KERNEL32(?,?,00000006,00007FF798C78A2A,?,?,00000000,00007FF798C777AE,?,?,00000000,00007FF798C76B85), ref: 00007FF798C7829B
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C79364
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C781A8: FreeLibrary.KERNEL32(?,?,00000006,00007FF798C78A2A,?,?,00000000,00007FF798C777AE,?,?,00000000,00007FF798C76B85), ref: 00007FF798C782D4
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C79383
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C793A2
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C793C1
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C793E0
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C793FF
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C7941E
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: try_get_function$Library$Load$AddressErrorFreeLastProc
                                                                                                                                                                                                                            • String ID: AreFileApisANSI$CompareStringEx$EnumSystemLocalesEx$GetDateFormatEx$GetLocaleInfoEx$GetTimeFormatEx$GetUserDefaultLocaleName$IsValidLocaleName$LCIDToLocaleName$LCMapStringEx$LocaleNameToLCID
                                                                                                                                                                                                                            • API String ID: 3255926029-3252031757
                                                                                                                                                                                                                            • Opcode ID: f5ddb8dc0f958fd9ea081183d1d9282a99c58eacf92a6cfce449543f48408e78
                                                                                                                                                                                                                            • Instruction ID: c97bfd34c2fab61a42f7a1806d7691c11d3495101ca4f68bb85adf69acc62cc1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f5ddb8dc0f958fd9ea081183d1d9282a99c58eacf92a6cfce449543f48408e78
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 81317E6591AA4BA1F624FF74EC505F0E321FF46304FC014F2D10E166A1AE3EA65AC3AD
                                                                                                                                                                                                                            Function 00007FF798C461F0 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 191COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Get_$Des_Res_$Conf_Log_$First_Free_Handle$Data_Next_$DetailDeviceInfoListNode_SetupSize_Status_
                                                                                                                                                                                                                            • String ID: DMA : %u$IO : %04I64x-%04I64x$IRQ : %u$MEM : %08I64x-%08I64x
                                                                                                                                                                                                                            • API String ID: 2957808706-3427375868
                                                                                                                                                                                                                            • Opcode ID: a4e06f8e4a64dca8354c6e1283bba188da2d5f0b0782a176430cef695ac593de
                                                                                                                                                                                                                            • Instruction ID: 45569bb28991f7b553fd9f8f957e2bab0f9d95f3ab2923a99623d92d62be0584
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4e06f8e4a64dca8354c6e1283bba188da2d5f0b0782a176430cef695ac593de
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9391643261864296EB70EF34E444A7AE361FB82B84FC410B5EA4D47A99DF3DE444CB24
                                                                                                                                                                                                                            Function 00007FF798C42C90 Relevance: 26.6, APIs: 11, Strings: 4, Instructions: 380serviceregistryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Close$OpenService$ClassHandleSetup$ErrorFromGuidsLastManagerName_invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: LowerFilters$UpperFilters$lower$upper
                                                                                                                                                                                                                            • API String ID: 159866419-3449112408
                                                                                                                                                                                                                            • Opcode ID: a2b8f44849a2b4c4615213b9abc1f695b87c42ada8e51fb98db3f05113dc89bc
                                                                                                                                                                                                                            • Instruction ID: 4cc7836488f9ca89fb9bf90e07045de491bed319ae1fb73b53d3914700263aaa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a2b8f44849a2b4c4615213b9abc1f695b87c42ada8e51fb98db3f05113dc89bc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88E1C222A0964241EA34AB35A540779E3A2FF86BD4FC842B5DE1E077D5DF3DE4858328
                                                                                                                                                                                                                            Function 00007FF798C51088 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 195COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Decorator::getNameReplicator::operator+=Template
                                                                                                                                                                                                                            • String ID: generic-type-$template-parameter-
                                                                                                                                                                                                                            • API String ID: 2731555906-13229604
                                                                                                                                                                                                                            • Opcode ID: 84b3677d49f92f823a7e74a3a09ad7f2eb3bf894bac47f523860a981e25c4147
                                                                                                                                                                                                                            • Instruction ID: 885687de9137a87518a8a7b07d3b3c4cbd7fbf8f835ead8ade1d176a6f873656
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84b3677d49f92f823a7e74a3a09ad7f2eb3bf894bac47f523860a981e25c4147
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C91CF22B1CA8689FB20EB74D8941BCF3A1AB46B84BC401B2DE0D57795DF3DE445C328
                                                                                                                                                                                                                            Function 00007FF798C45BD0 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 272timeCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Setup$Driver$Info$InstallParams$DeviceEnumFormatListTime$BuildDateDestroyDetailErrorFileFreeLastLocalMessageSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2668181066-3916222277
                                                                                                                                                                                                                            • Opcode ID: e4b5dfb2d01c01c868df09e416ecf3eefc922ffbc0b423e26137771d3025f2ca
                                                                                                                                                                                                                            • Instruction ID: 3fb174cb9bea2c4fce085dec704473981f70fc5d1539208a2e0f9f055b47ca12
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e4b5dfb2d01c01c868df09e416ecf3eefc922ffbc0b423e26137771d3025f2ca
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9BC16E31A0918156F734BB71E4117FAF252EB86784FD440B5EA4E0B7C6CE3DE58087A8
                                                                                                                                                                                                                            Function 00007FF798C53800 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 316COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FrameHandler3::Unwind$BlockException$CatchDestructExecutionFramesHandlerHelperIs_bad_exception_allowedMatchNestedObjectSearchStateThrowTypestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                                                                            • API String ID: 15165021-393685449
                                                                                                                                                                                                                            • Opcode ID: 21b97b16db538992eb6a75333495f7bcb45038915a3eb3cb518b00d563e8fba0
                                                                                                                                                                                                                            • Instruction ID: 0a36aa553529c66a9f5ccf011f39b1f9657b775ff84060a7515fc807b57ad360
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 21b97b16db538992eb6a75333495f7bcb45038915a3eb3cb518b00d563e8fba0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C9E16C62A0CB418AEB20AB75D4503BEF7A0FB46798F940279EE8D47B55DF38E094C714
                                                                                                                                                                                                                            Function 00007FF798C46530 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 116COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Des_Res_$Get_$Data_Free_HandleNext_$Size_
                                                                                                                                                                                                                            • String ID: DMA : %u$IO : %04I64x-%04I64x$IRQ : %u$MEM : %08I64x-%08I64x
                                                                                                                                                                                                                            • API String ID: 1110773400-3427375868
                                                                                                                                                                                                                            • Opcode ID: 9e4a8363610eefb0b6cbcea2d3461c166d1163f148688767d300006fdf73812f
                                                                                                                                                                                                                            • Instruction ID: b4641876681ff0e0780d8f17e200da59c43494556229b13add9aa6d407ed7fe5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e4a8363610eefb0b6cbcea2d3461c166d1163f148688767d300006fdf73812f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EA419631A0864292F670EF35E544AB9E361FB86B84FC840B5EE4E47759DE3DE484C724
                                                                                                                                                                                                                            Function 00007FF798C45920 Relevance: 16.6, APIs: 11, Instructions: 150COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Setup$Driver$DeviceFileInfoInstallParamsQueue$ListScan$BuildCallClassCloseDestroyDetailEnumErrorFormatFreeInstallerLastLocalMessageOpenSelected
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1606212837-0
                                                                                                                                                                                                                            • Opcode ID: e12b59f62743ec06b6094670a4a11f57fde35331bb7a5217e71e5602add53916
                                                                                                                                                                                                                            • Instruction ID: 93ff08cd1d34e38da1997b4ad76c855d9fe3cb20cb6445a73d9a002dc22cc432
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e12b59f62743ec06b6094670a4a11f57fde35331bb7a5217e71e5602add53916
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E361AE3161868286E730AF31E8006FAF3A2FB42B94FC40275D91E07AD5DF3DE5498764
                                                                                                                                                                                                                            Function 00007FF798C53CDC Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 317COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Exception$DestructHelperIs_bad_exception_allowedMatchObjectThrowTypestd::bad_alloc::bad_alloc
                                                                                                                                                                                                                            • String ID: csm$csm$csm
                                                                                                                                                                                                                            • API String ID: 3999431683-393685449
                                                                                                                                                                                                                            • Opcode ID: dd461791980e8857ea159d38e58e30428d4de1eaec1c9c9603251b4acd30a3b7
                                                                                                                                                                                                                            • Instruction ID: daa1e044a05e5f0d8500a3369478769764ce693d6104a57f9b614f58e6f3803f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd461791980e8857ea159d38e58e30428d4de1eaec1c9c9603251b4acd30a3b7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 70E1BE72A0C6828AEB30AF35D4402BDFBA0FB56748F944275DA8D47B66CF38E585C714
                                                                                                                                                                                                                            Function 00007FF798C42540 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 139COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Setup$Device$Info$ClassCreateList$CallDestroyFullInstallerNamePathPropertyRegistry
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1846165353-3916222277
                                                                                                                                                                                                                            • Opcode ID: cea8426861f3347b505c897b4f246ebb9bfdbc3591874b8a41b436473b598dc7
                                                                                                                                                                                                                            • Instruction ID: eed5b9992bec5095c2a72443197e2128fcd928343e027842a2c9cac8eb687d41
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cea8426861f3347b505c897b4f246ebb9bfdbc3591874b8a41b436473b598dc7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1651923260868181EB309B31E4007AAF3A2FB85B90FD84271DA9D43B94EF7CD585CB14
                                                                                                                                                                                                                            Function 00007FF798C507B4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 76COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: NameName::Name::operator+Name::operator+=$Decorator::getDimensionName::doPcharSigned
                                                                                                                                                                                                                            • String ID: `template-parameter$void
                                                                                                                                                                                                                            • API String ID: 1951524168-4057429177
                                                                                                                                                                                                                            • Opcode ID: 7a7c9e4356da7ebb837bbe34803b1ef7ec7b8755a3141d29af5874025b868cc2
                                                                                                                                                                                                                            • Instruction ID: ef328fabc861fb1a07d3b314ff088a924be7ac137ced3f4bed4654ff5dc0f1fa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7a7c9e4356da7ebb837bbe34803b1ef7ec7b8755a3141d29af5874025b868cc2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E315C21F18A4689FB20AB70D8507B9E3A1BB06B84FC405B5DE0D9BB95DF3DE405C368
                                                                                                                                                                                                                            Function 00007FF798C4D948 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: NameName::$Name::doName::operator+Pchar
                                                                                                                                                                                                                            • String ID: `non-type-template-parameter
                                                                                                                                                                                                                            • API String ID: 3026640183-4247534891
                                                                                                                                                                                                                            • Opcode ID: 2045f689735eeea40cce7efe3b8163e352433e1db3c7d53e5d39b0a4b2283e44
                                                                                                                                                                                                                            • Instruction ID: b30d53d6b524fe00ef5a6fa12598738f7d4e9f45a5b2137cb6ecc88fa12da54f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2045f689735eeea40cce7efe3b8163e352433e1db3c7d53e5d39b0a4b2283e44
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FB417C21E0869699F720FB31D4801BCF7A6FB12B80BD884B5DB4D57685DF68E895C324
                                                                                                                                                                                                                            Function 00007FF798C423C0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FreeLibrary$AddressAttributesFileFormatFullLoadLocalMessageNamePathProc
                                                                                                                                                                                                                            • String ID: UpdateDriverForPlugAndPlayDevicesW$newdev.dll
                                                                                                                                                                                                                            • API String ID: 3199543795-3767700378
                                                                                                                                                                                                                            • Opcode ID: 04ab7d4148ff324d2fd50ef0ea174a2fd79d77ffbdc2d0a2a02e6489278d7139
                                                                                                                                                                                                                            • Instruction ID: d05ba6559caa29da0dea2d3301abad058bcfbd2f49130d99b68f1fd4e4372d1a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04ab7d4148ff324d2fd50ef0ea174a2fd79d77ffbdc2d0a2a02e6489278d7139
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 37318321A0C68295EB70AB30E4553BAE361EF86B80FD841B5DA4D43795DF3DE489C728
                                                                                                                                                                                                                            Function 00007FF798C4C60C Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+=$Decorator::getNameName::operator+$Name::Name::operator=ScopeScoped
                                                                                                                                                                                                                            • String ID: void
                                                                                                                                                                                                                            • API String ID: 3176039966-3531332078
                                                                                                                                                                                                                            • Opcode ID: 9e892f4fd707f0d60684168cfb52e33d9422594bf1c05951a142ce3f47b87fe0
                                                                                                                                                                                                                            • Instruction ID: e15774ffdfe9833bd137d1e7f38d021e338c6bc4d4c4aa39a2d04961289ae8cc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e892f4fd707f0d60684168cfb52e33d9422594bf1c05951a142ce3f47b87fe0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2111F662A1C54285FB30AB34D4903B9F362FF56345FC890B1D98D462A9DE3CE585C728
                                                                                                                                                                                                                            Function 00007FF798C8EE2C Relevance: 10.8, APIs: 7, Instructions: 291COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3215553584-0
                                                                                                                                                                                                                            • Opcode ID: 3e9133d60d70ee4b184cf4df9feb1deb47fa9a1110e34a9b0a205f5e93016ed5
                                                                                                                                                                                                                            • Instruction ID: 2740395bb33d8a53c5158d731508b572d46681c49a6181a97e72db0e150b3384
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3e9133d60d70ee4b184cf4df9feb1deb47fa9a1110e34a9b0a205f5e93016ed5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 59C1D323A5C68645E7717B35A4002BEFB60EB82B84FC541B1EA4E07791CF7DE855C728
                                                                                                                                                                                                                            Function 00007FF798C46700 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 156registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetupDiGetDeviceInfoListDetailW.SETUPAPI ref: 00007FF798C4672F
                                                                                                                                                                                                                            • SetupDiOpenClassRegKeyExW.SETUPAPI ref: 00007FF798C4676F
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32 ref: 00007FF798C4690B
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C44C30: RegQueryValueExW.ADVAPI32 ref: 00007FF798C44C83
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C44C30: GetLastError.KERNEL32 ref: 00007FF798C44C94
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C44C30: RegQueryValueExW.ADVAPI32 ref: 00007FF798C44CF6
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C44770: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF798C410DD), ref: 00007FF798C447B7
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C44770: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF798C410DD), ref: 00007FF798C4480B
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: QuerySetupValue$ClassCloseDetailDeviceErrorFormatFreeInfoLastListLocalMessageOpen
                                                                                                                                                                                                                            • String ID: %s$LowerFilters$UpperFilters
                                                                                                                                                                                                                            • API String ID: 1933970874-1836264166
                                                                                                                                                                                                                            • Opcode ID: 04773ff56f4774923785c4d0de67fe9c2026f8c065fe9d7dfa9ad0910a36cf95
                                                                                                                                                                                                                            • Instruction ID: c2726fe5294939fa2bfe532fc3cc3c3011842916f1f4e3ee8ac8b69624680838
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04773ff56f4774923785c4d0de67fe9c2026f8c065fe9d7dfa9ad0910a36cf95
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77515F21B0924255FA747B71E4153BAE243AF86B90FDC41B4E90E0B7C7DE6DA4C18379
                                                                                                                                                                                                                            Function 00007FF798C41160 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ClassSetup$BuildInfoList$DescriptionErrorFromGuidLastName
                                                                                                                                                                                                                            • String ID: %-20s: %s
                                                                                                                                                                                                                            • API String ID: 3437477559-1251934994
                                                                                                                                                                                                                            • Opcode ID: 8de683dbc796dd8caca86f2723ecdf9223d82be46d02b5834d92cca158fced3c
                                                                                                                                                                                                                            • Instruction ID: 707895e3e04b6bf47ac6a5063a0968319350cc22569e3bd595b0028a390d791d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8de683dbc796dd8caca86f2723ecdf9223d82be46d02b5834d92cca158fced3c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A51942271C68285EA70AF31E4407BAF3A1FB86B84FC84575DA8E47A94EF3CD545C718
                                                                                                                                                                                                                            Function 00007FF798C4DD94 Relevance: 10.6, APIs: 7, Instructions: 134COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::doName::operator+Name::operator+=Pchar$NameName::Name::append
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3659116837-0
                                                                                                                                                                                                                            • Opcode ID: 6aaf8ef8ab975a96cade839fcc4cba8efc94d6294a4ba3211e0c36a2a6d5e19c
                                                                                                                                                                                                                            • Instruction ID: 3d6ad744d511014ad46951153b7a5c05dece2aa2949b7907970625419438ce64
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6aaf8ef8ab975a96cade839fcc4cba8efc94d6294a4ba3211e0c36a2a6d5e19c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98614B32E18A4689F721EB34E8843A8F7A2EB46744FC844B5EA0D57795EF3DD485C314
                                                                                                                                                                                                                            Function 00007FF798C6F964 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FileModuleName_set_error_mode
                                                                                                                                                                                                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                                                                                                                            • API String ID: 3581924421-4022980321
                                                                                                                                                                                                                            • Opcode ID: 0d1e8a8cf0d7e4a4f35967af43162b7572eefee810724939d3ab0ebac19dc9a6
                                                                                                                                                                                                                            • Instruction ID: fd31fbd72a7ac5b6765ed39c0da88adcaff3a223053c9b46240bc10a78f1bba0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0d1e8a8cf0d7e4a4f35967af43162b7572eefee810724939d3ab0ebac19dc9a6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71410826B18B4741FA34BB32A8005B6E354BF86BD4FC085B1EE1D977D6DE3CE1058218
                                                                                                                                                                                                                            Function 00007FF798C43A00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Setup$ClassDeviceInstallParams$CallDetailDevice_Get_InfoInstallerList
                                                                                                                                                                                                                            • String ID: %-60s: %s
                                                                                                                                                                                                                            • API String ID: 4184553637-3470069224
                                                                                                                                                                                                                            • Opcode ID: c50b428a501a26c9097843eac2ab180f505a000ca60ac8a98767d06fd166e556
                                                                                                                                                                                                                            • Instruction ID: c909f67a55a444b66a5546261767a751dd44aeb83053318fc7b90c8b0a5c2213
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c50b428a501a26c9097843eac2ab180f505a000ca60ac8a98767d06fd166e556
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C531527160868292FB709F31E844BAAE771FB85B88FC44179CA4D47A94DF3DD449CB24
                                                                                                                                                                                                                            Function 00007FF798C427B0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Library$AddressFreeLoadProc$AttributesFileFullNamePath
                                                                                                                                                                                                                            • String ID: SetupSetNonInteractiveMode$setupapi.dll
                                                                                                                                                                                                                            • API String ID: 1784877336-1268865691
                                                                                                                                                                                                                            • Opcode ID: 46b5fed04645d8eac7faa08d99b50c110e1da90dcc4f8194fdf02fdc9e3b2f99
                                                                                                                                                                                                                            • Instruction ID: 1415ef1a972e2eab3e2c729e9b5c9b1e821c7500ca40d614a18a51cba9cbc267
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 46b5fed04645d8eac7faa08d99b50c110e1da90dcc4f8194fdf02fdc9e3b2f99
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 87216026B0CB5182DA20AB37B441429E7A1BB8AFD4FC515B4EE8D47F24DF3CE0458718
                                                                                                                                                                                                                            Function 00007FF798C9071C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                            • Opcode ID: b8a696af87e1db244be29ab8bf7f91a733210b6ee2ef81bc7abc92eec04a5109
                                                                                                                                                                                                                            • Instruction ID: 0f98444fe4b259a463ec939c89573d21de538e878797375ca8df887137a62ad0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b8a696af87e1db244be29ab8bf7f91a733210b6ee2ef81bc7abc92eec04a5109
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E211E621B18B4186E360AB26F844329E3A4FB89FE4FC002F4DA5D87794EF3DD4548758
                                                                                                                                                                                                                            Function 00007FF798C90584 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast
                                                                                                                                                                                                                            • String ID: CONOUT$
                                                                                                                                                                                                                            • API String ID: 3230265001-3130406586
                                                                                                                                                                                                                            • Opcode ID: 7293e43c7665d0d01c90415b99719ea9fa37c371d7253cfd48f9f2110afdc670
                                                                                                                                                                                                                            • Instruction ID: 3a410668f81b7ab7a059ffb6489cb9e88737d1c126ebf4dfa5d0284dceee1de3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7293e43c7665d0d01c90415b99719ea9fa37c371d7253cfd48f9f2110afdc670
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E119432608A4182E7609F65F414329F360FB89BA9FD042F5D95D87794EF3DD454C728
                                                                                                                                                                                                                            Function 00007FF798C43B40 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 255COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetupDiGetDeviceInfoListDetailW.SETUPAPI ref: 00007FF798C43B8A
                                                                                                                                                                                                                            • CM_Get_Device_ID_ExW.SETUPAPI ref: 00007FF798C43BB9
                                                                                                                                                                                                                            • CM_Get_DevNode_Status_Ex.SETUPAPI ref: 00007FF798C43BE1
                                                                                                                                                                                                                            • SetupDiSetDeviceRegistryPropertyW.SETUPAPI ref: 00007FF798C43E64
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C44770: FormatMessageW.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF798C410DD), ref: 00007FF798C447B7
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C44770: LocalFree.KERNEL32(?,?,?,?,?,?,?,?,00000000,?,00007FF798C410DD), ref: 00007FF798C4480B
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DeviceGet_Setup$DetailDevice_FormatFreeInfoListLocalMessageNode_PropertyRegistryStatus_
                                                                                                                                                                                                                            • String ID: %-60s:
                                                                                                                                                                                                                            • API String ID: 1934003045-769737362
                                                                                                                                                                                                                            • Opcode ID: 76ee0f2f911fd73d96a53c46ad47b70ddff763a65de86f8359f85a3177142f00
                                                                                                                                                                                                                            • Instruction ID: 521cd8b771418a374639d17be5f3b41321ce62d5ef87c9d7eed26e9ebef7bb51
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 76ee0f2f911fd73d96a53c46ad47b70ddff763a65de86f8359f85a3177142f00
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78B10931A09A4681EA30AF35A44067AF365FBC2B94FC84179DE5E07795DF3CD490C728
                                                                                                                                                                                                                            Function 00007FF798C50034 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Name::operator+=$Replicator::operator+=
                                                                                                                                                                                                                            • String ID: ...
                                                                                                                                                                                                                            • API String ID: 3157425598-440645147
                                                                                                                                                                                                                            • Opcode ID: e288a20144f83b690d569a74b32a78b9f7e8ec2015eadcaccc5e11f1d194f4ae
                                                                                                                                                                                                                            • Instruction ID: 322929d0a0081bb555a9f3a1dbdf17ea8a4e96d75a2c39eed44f6f670e4403f9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e288a20144f83b690d569a74b32a78b9f7e8ec2015eadcaccc5e11f1d194f4ae
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D51C122E0C64689FF31EB35D84437AE6A0AB47B44FD846B5DD0C966A5DF3DA441C328
                                                                                                                                                                                                                            Function 00007FF798C716E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                                                                                                                                            • String ID: CorExitProcess$mscoree.dll
                                                                                                                                                                                                                            • API String ID: 4061214504-1276376045
                                                                                                                                                                                                                            • Opcode ID: 0ccf8903cf5fd9aeb41b039fa9f1cb800aac3f93f93f03788acfe0ad99044ca6
                                                                                                                                                                                                                            • Instruction ID: e1ce0216ab727a9aac8dd9cd219a3a7a28ba1d959aa1971a8f0a70f5aee9485e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ccf8903cf5fd9aeb41b039fa9f1cb800aac3f93f93f03788acfe0ad99044ca6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 37F05E61B19A4291EF64AB71F480374E360AF49780FC820F6E54F462A0EF2DE488C328
                                                                                                                                                                                                                            Function 00007FF798C530D0 Relevance: 7.8, APIs: 5, Instructions: 289COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AdjustPointer
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1740715915-0
                                                                                                                                                                                                                            • Opcode ID: 92d83d9b34f83b521a09ba5b49f4fa4ff0e4aabc531c5689a04bfc7cad77936e
                                                                                                                                                                                                                            • Instruction ID: 512340f469fcac629e4e654c4cf3bbfe7262e836a3fe7540657f28c7b6988172
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 92d83d9b34f83b521a09ba5b49f4fa4ff0e4aabc531c5689a04bfc7cad77936e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5CB1AF22A0DA4681EE75EB71D444179E790EF47B80FC986B9DE4D07796DF3CE4428328
                                                                                                                                                                                                                            Function 00007FF798C92044 Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                                                                                            • Opcode ID: 2bc9a1a893ca783c65b1834ad9b2aafb0e365d30d060e1b3bfacd12602894cdc
                                                                                                                                                                                                                            • Instruction ID: 9548e9545248dd962c3c044f64109b44f11630982ce33665acf4956bd0fceda2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2bc9a1a893ca783c65b1834ad9b2aafb0e365d30d060e1b3bfacd12602894cdc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6F512813D08D4681E63ABA34984077AD250BF53760FD486F5EABE275E1FF3EE8418618
                                                                                                                                                                                                                            Function 00007FF798C437D0 Relevance: 7.6, APIs: 5, Instructions: 82COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Setup$Class$InstallParams$CallDeviceInstaller$DetailDevice_Get_InfoList
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3081971210-0
                                                                                                                                                                                                                            • Opcode ID: 695bbc71baaaec773e58d73fb442ecad0b1640a0d8d46f012f6265395287b3fe
                                                                                                                                                                                                                            • Instruction ID: a99ba7805d3e969d52ac47ece4720c16a8da608e429dbe921aec3075ab57185e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 695bbc71baaaec773e58d73fb442ecad0b1640a0d8d46f012f6265395287b3fe
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 863173B160864586F730AB32E5057B9E6A1FB86FC8FC4417ADA8D07B88CF3DD4458B24
                                                                                                                                                                                                                            Function 00007FF798C917D4 Relevance: 7.6, APIs: 5, Instructions: 56COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _set_statfp
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1156100317-0
                                                                                                                                                                                                                            • Opcode ID: e7b1107881e48292ca022c74fe2ec48e51bdb5760dfe1fdbb7d7208ffa06045a
                                                                                                                                                                                                                            • Instruction ID: afa3baecbe2211e65d27aea17f9927afa07b9c44dbb47b90e02ef9ba138fe7a1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e7b1107881e48292ca022c74fe2ec48e51bdb5760dfe1fdbb7d7208ffa06045a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B211BF22E18A0305F6783174D447375D081AF57368FDB06F6E97E06AE7AE2EE841A16C
                                                                                                                                                                                                                            Function 00007FF798C543FC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                            • Opcode ID: f803d8c648c2122474ce86b0b39a3cc156ebe4fa619f756f266b7816edd56d32
                                                                                                                                                                                                                            • Instruction ID: f3292368d0ecd6f3a9b9b0402d6fdbac1d14a297b77b36af03af300e8164e2de
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f803d8c648c2122474ce86b0b39a3cc156ebe4fa619f756f266b7816edd56d32
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9291B0B3A0CB819AEB20DB75E8402BDF7A0FB05788F944269EA4D07755DF38E195C714
                                                                                                                                                                                                                            Function 00007FF798C5F940 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: $*
                                                                                                                                                                                                                            • API String ID: 3215553584-3982473090
                                                                                                                                                                                                                            • Opcode ID: 696b434c9b65d82e3cb3a69da655823cedb2bb2a6dca5773e12b0c135f28c375
                                                                                                                                                                                                                            • Instruction ID: f2c2c643cb6642738a0e2f8bea53a3831e48a9c1394e37a6cb52d4f4bdc46a51
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 696b434c9b65d82e3cb3a69da655823cedb2bb2a6dca5773e12b0c135f28c375
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6181707381C742C6EF78AE359054178FBA0EB07B58FD802B6CA8946389CF39E441C729
                                                                                                                                                                                                                            Function 00007FF798C60EDC Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: $*
                                                                                                                                                                                                                            • API String ID: 3215553584-3982473090
                                                                                                                                                                                                                            • Opcode ID: ebf6addb0422a3df8c88c69004cf465780081765257e989b9b1ed44549212502
                                                                                                                                                                                                                            • Instruction ID: 588f12327b33753192bae8ae17910ace2db913773f7fd40226e3431ef34c170c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ebf6addb0422a3df8c88c69004cf465780081765257e989b9b1ed44549212502
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E881607280CA8785EBB4BF35904407CF6A0EB03B56FD401B7DA4A86299DF39E541D739
                                                                                                                                                                                                                            Function 00007FF798C60734 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 191COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: $*
                                                                                                                                                                                                                            • API String ID: 3215553584-3982473090
                                                                                                                                                                                                                            • Opcode ID: e60271a038c53331095bc1501989483a53fb311e552cdae94f782dd2e6294a65
                                                                                                                                                                                                                            • Instruction ID: e67514489f7e8ea4fc4aa4ecd323ea5ebe7f71c14a7466d1f23999af07bf9628
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e60271a038c53331095bc1501989483a53fb311e552cdae94f782dd2e6294a65
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 23817F72808A03C5FBB4BF358055179F7A1EB06B58FD440B6CA89B6289DF39E481C768
                                                                                                                                                                                                                            Function 00007FF798C60018 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 187COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: $*
                                                                                                                                                                                                                            • API String ID: 3215553584-3982473090
                                                                                                                                                                                                                            • Opcode ID: 4b0bb82413f354565f6b76abb1ea6af1657192eeb5dcd769b60e7d6808cf1343
                                                                                                                                                                                                                            • Instruction ID: 7919b0109f3895b9392b36514d2c21e0b4d18a39251816b79e66ca7146a67260
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4b0bb82413f354565f6b76abb1ea6af1657192eeb5dcd769b60e7d6808cf1343
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C181727284CA4386EB75AF359044178FBA0EF43B48FD441B6CA49B6289CE39E485C72C
                                                                                                                                                                                                                            Function 00007FF798C7C164 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 180COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: -$e+000$gfff
                                                                                                                                                                                                                            • API String ID: 3215553584-2620144452
                                                                                                                                                                                                                            • Opcode ID: 0074e114a49e6fc809f4dcc0a04a1e80794e2a9b4d8ec782b6f912fc4b48aee0
                                                                                                                                                                                                                            • Instruction ID: fc1e3576191615dc31fbe5cc48ef03e24b4cf9d8fcbd25c2621d06f4be6a7b9c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0074e114a49e6fc809f4dcc0a04a1e80794e2a9b4d8ec782b6f912fc4b48aee0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A671D362B1878286EB709B35A9403ADF791EB46B90FC89271DB9D87BD9CF2CD440C714
                                                                                                                                                                                                                            Function 00007FF798C5F718 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 156COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: $*
                                                                                                                                                                                                                            • API String ID: 3215553584-3982473090
                                                                                                                                                                                                                            • Opcode ID: 26b87493f0452009ca218a176671395cca8a3695ea8e3c936177f10e7989a2f7
                                                                                                                                                                                                                            • Instruction ID: 624a10350796f86ac2cf937a423390f20a8de2e421f58c5b137a703526a8aaeb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26b87493f0452009ca218a176671395cca8a3695ea8e3c936177f10e7989a2f7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FA61417392C74286EF7CAE38805467CF7A0EB07B59FD412BAC74A06799CB28D445D628
                                                                                                                                                                                                                            Function 00007FF798C5FBE8 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 151COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: $*
                                                                                                                                                                                                                            • API String ID: 3215553584-3982473090
                                                                                                                                                                                                                            • Opcode ID: 48a48ff5bc0ae375988f414688e987a49450b8b663d7d16d07c4109e67f0f616
                                                                                                                                                                                                                            • Instruction ID: b77485a0d47409d6c9c20c8b5940e6f6ce6eca164754cf34133475b2eb090429
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 48a48ff5bc0ae375988f414688e987a49450b8b663d7d16d07c4109e67f0f616
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DB61787392C70286EB7CAE34805527CF7A1EB17B19FD413B6DA49463DDCF29E4418628
                                                                                                                                                                                                                            Function 00007FF798C602B0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 147COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: $*
                                                                                                                                                                                                                            • API String ID: 3215553584-3982473090
                                                                                                                                                                                                                            • Opcode ID: f977a82e5c76788af1767a775f5033a8640c51099ef2c99c72258bbf43d06a9c
                                                                                                                                                                                                                            • Instruction ID: 8a115a96386f83b1525c916570b322960f6f13cb2ca5d50ef05a97f473d77f56
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f977a82e5c76788af1767a775f5033a8640c51099ef2c99c72258bbf43d06a9c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E61607291CA438AE774AE39804437CF7A0EF07B19FD411B5D64AB229DDF38E481C668
                                                                                                                                                                                                                            Function 00007FF798C541E8 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 142COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CallEncodePointerTranslator
                                                                                                                                                                                                                            • String ID: MOC$RCC
                                                                                                                                                                                                                            • API String ID: 3544855599-2084237596
                                                                                                                                                                                                                            • Opcode ID: 1468b56452d10623d81cdb1e1ed026f28ff39d5af83e5faff62cb6f8af0a23b1
                                                                                                                                                                                                                            • Instruction ID: 85f3b9b21e10262fb3a00af34d943bcf003ff22dabe28a95655b3cc8f36bae2c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1468b56452d10623d81cdb1e1ed026f28ff39d5af83e5faff62cb6f8af0a23b1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1517872A0CB459AEB20AF75D4803BDB7A0FB46B88F844265EE4D13B65DB38E085C754
                                                                                                                                                                                                                            Function 00007FF798C554F0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateDestructExceptionFrameInfoObject__except_validate_context_record
                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                            • API String ID: 146877497-1018135373
                                                                                                                                                                                                                            • Opcode ID: a3fecbfbc24f64bd75b4b319e201772004d7a2b71ee4399e5099f2da34a284b3
                                                                                                                                                                                                                            • Instruction ID: 9d2fe543d9dfebabc3c98ba2efcd146b8f68fadf5e2f002d0d039e7e1152b6ef
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3fecbfbc24f64bd75b4b319e201772004d7a2b71ee4399e5099f2da34a284b3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3516272A08B9186D670AB36E44036EF7A1F786790F841275EB8D07B65CF38E494C714
                                                                                                                                                                                                                            Function 00007FF798C44C30 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: QueryValue$ErrorLast
                                                                                                                                                                                                                            • String ID: LowerFilters
                                                                                                                                                                                                                            • API String ID: 181557691-1260524392
                                                                                                                                                                                                                            • Opcode ID: 7cfd38d4b9c6a9580be2e36a9189f51fd8cc7de6ed91d8435a286111ac9b45e5
                                                                                                                                                                                                                            • Instruction ID: 6fddeb93899e11a8c038cba79eb54349877009510877cdaef8d06da1c15ed634
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7cfd38d4b9c6a9580be2e36a9189f51fd8cc7de6ed91d8435a286111ac9b45e5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 40219521609B4596EA20AB35F45116EE392FF8A7D0FC806B5EA5D43BD5EF3CE041C714
                                                                                                                                                                                                                            Function 00007FF798C456D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DetailDeviceDevice_Get_InfoListSetup
                                                                                                                                                                                                                            • String ID: %-60s: %s$%s
                                                                                                                                                                                                                            • API String ID: 3680031113-1339393084
                                                                                                                                                                                                                            • Opcode ID: a51e5089ce0a16c6d52d016b188cefe7c1f7e6d2c4a6f8978211d45e4c582602
                                                                                                                                                                                                                            • Instruction ID: 313aaf6a494a084af82a49b7b034a013cfbea53ad6b0f7502fe44753c49c7497
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a51e5089ce0a16c6d52d016b188cefe7c1f7e6d2c4a6f8978211d45e4c582602
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8821E321B1864291FA30AF35E4503BAF3A2EF85B84FC84075DA0D07A95EF2CE545C328
                                                                                                                                                                                                                            Function 00007FF798C5562B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Exception$DestructObject$Raise
                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                            • API String ID: 2826525264-1018135373
                                                                                                                                                                                                                            • Opcode ID: c65463ea9101793cc31d4246695a90cc3882a240b8c6c27d7b38a8955c006e5e
                                                                                                                                                                                                                            • Instruction ID: 3a0bf8fd406c4a071c4dec3624a99091a84f0fa347b290245b723faae42641df
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c65463ea9101793cc31d4246695a90cc3882a240b8c6c27d7b38a8955c006e5e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24310076A0865186E730AF35E04026EF7A1FB85754F840275DA8D077A5CF3CE889CB55
                                                                                                                                                                                                                            Function 00007FF798C46B80 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DetailDeviceDevice_Get_InfoListSetup
                                                                                                                                                                                                                            • String ID: %-60s: %s$%s
                                                                                                                                                                                                                            • API String ID: 3680031113-1339393084
                                                                                                                                                                                                                            • Opcode ID: c99e091277bb5b53b775382925c4bb54c33a56cc676f35083c55ea4e68d6ed99
                                                                                                                                                                                                                            • Instruction ID: 6d766db7fcecbf037d51d7f8c646247ea31bccdfd5ba2cbe48180edcd8614920
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c99e091277bb5b53b775382925c4bb54c33a56cc676f35083c55ea4e68d6ed99
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E521C332708A8291FA30AF34E4407BAE361FF85784FC84175EA4D07A98EF2CD545C728
                                                                                                                                                                                                                            Function 00007FF798C553FA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Exception$DestructObject$Raise
                                                                                                                                                                                                                            • String ID: csm
                                                                                                                                                                                                                            • API String ID: 2826525264-1018135373
                                                                                                                                                                                                                            • Opcode ID: cc8eb6da96c197ed980eb35cf3cd2df0145045b221062dc3d4578f740a01ffa4
                                                                                                                                                                                                                            • Instruction ID: 898bdac9dbe237fd7895a2369b9c12302ab666eb1ad3be37ed48aff9f90ff1bd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc8eb6da96c197ed980eb35cf3cd2df0145045b221062dc3d4578f740a01ffa4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C212F36A0865186EB30EF22E04026EF761F785BA5F841361DE9D037A5CF3CE886CB55
                                                                                                                                                                                                                            Function 00007FF798C794F4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C79527
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C7954E
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C781A8: GetProcAddress.KERNEL32(?,?,00000006,00007FF798C78A2A,?,?,00000000,00007FF798C777AE,?,?,00000000,00007FF798C76B85), ref: 00007FF798C78300
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: try_get_function$AddressProc
                                                                                                                                                                                                                            • String ID: GetProcessWindowStation$GetUserObjectInformationW
                                                                                                                                                                                                                            • API String ID: 1640347226-2732317663
                                                                                                                                                                                                                            • Opcode ID: 6f5883c30fa4d970a6b2ca5bc24385a593e52fa01d7559c029fb7798c3f6cd56
                                                                                                                                                                                                                            • Instruction ID: 387f1e0eb2c7a186c42a79aab2b557d73e31960364cf430109c8f580785754c7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f5883c30fa4d970a6b2ca5bc24385a593e52fa01d7559c029fb7798c3f6cd56
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C9114D31A2968692EBA1AF34E8401B5E3A1FF46744FC405B5E94E06794EF3DE449C728
                                                                                                                                                                                                                            Function 00007FF798C790A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 49COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: try_get_function
                                                                                                                                                                                                                            • String ID: MessageBoxW$RoInitialize
                                                                                                                                                                                                                            • API String ID: 2742660187-1810702038
                                                                                                                                                                                                                            • Opcode ID: dd70e31a59fc5cbf4f5a0b82821224db7ed2afd1b9f1bcf175a30592a1cc4cdc
                                                                                                                                                                                                                            • Instruction ID: 9c75d87d3eeb57c2c3f7a1d4fd5ebf9db75b847ff00f550d59bc99d0407bdc1f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd70e31a59fc5cbf4f5a0b82821224db7ed2afd1b9f1bcf175a30592a1cc4cdc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9911C222B0964692FB25AF61F8400B4E324EF46B80FC804F6DF1D0BB55DE3DE5958328
                                                                                                                                                                                                                            Function 00007FF798C79188 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: try_get_function
                                                                                                                                                                                                                            • String ID: SetThreadStackGuarantee$SystemFunction036
                                                                                                                                                                                                                            • API String ID: 2742660187-2910880125
                                                                                                                                                                                                                            • Opcode ID: 82353169a2ab33f6a6eac203720c7793f9c27a950768576486ffb45298bb144f
                                                                                                                                                                                                                            • Instruction ID: dbf8cc7b01ec4c2cff0a8919ebceb498334c9238b9fc1583cdc611a334353370
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 82353169a2ab33f6a6eac203720c7793f9c27a950768576486ffb45298bb144f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 74012111A1954695FB29AB75E9410F4F311EF4A340FC800F1DE1D06751EE7DE995C32C
                                                                                                                                                                                                                            Function 00007FF798C79448 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 30COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C79468
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C7949A
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C781A8: GetProcAddress.KERNEL32(?,?,00000006,00007FF798C78A2A,?,?,00000000,00007FF798C777AE,?,?,00000000,00007FF798C76B85), ref: 00007FF798C78300
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: try_get_function$AddressProc
                                                                                                                                                                                                                            • String ID: GetActiveWindow$GetLastActivePopup
                                                                                                                                                                                                                            • API String ID: 1640347226-3742175580
                                                                                                                                                                                                                            • Opcode ID: 96139b02f01ac1a12e8e8bbed336b4c2bf4c2c17f5e7323450708969746c16ee
                                                                                                                                                                                                                            • Instruction ID: c7e25b116367dafb64bb384a0acf70416fdaeff9ecdbbc671867df9dd4a8c609
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 96139b02f01ac1a12e8e8bbed336b4c2bf4c2c17f5e7323450708969746c16ee
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0DF0E761A2A60791FA35BBB1E9501F0D290AF0A750FC404F5D90D06390EE3DA589C23D
                                                                                                                                                                                                                            Function 00007FF798C7921C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C7924C
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C7926E
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C781A8: GetProcAddress.KERNEL32(?,?,00000006,00007FF798C78A2A,?,?,00000000,00007FF798C777AE,?,?,00000000,00007FF798C76B85), ref: 00007FF798C78300
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: try_get_function$AddressProc
                                                                                                                                                                                                                            • String ID: MessageBoxA$MessageBoxW
                                                                                                                                                                                                                            • API String ID: 1640347226-1053882329
                                                                                                                                                                                                                            • Opcode ID: d25e26e93fbc0f399955a4174ee145feb3741ebe1ff497b5d2ef8bac74c6ea03
                                                                                                                                                                                                                            • Instruction ID: 68c03ad58752d6bebc7b6acb3966657f926af756e19a1eef66e7afed37297997
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d25e26e93fbc0f399955a4174ee145feb3741ebe1ff497b5d2ef8bac74c6ea03
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D2F03C62A0964792EE24FF70E8814F4E364EF46744BC400F6D60D12265EE7CEA49C7A8
                                                                                                                                                                                                                            Function 00007FF798C8E2A8 Relevance: 6.1, APIs: 4, Instructions: 64COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FilePointer$ErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 142388799-0
                                                                                                                                                                                                                            • Opcode ID: 62e83ff613cf7e0c6914a0449e0ad6475a81f3d2e6a598e7b544edde691620a4
                                                                                                                                                                                                                            • Instruction ID: 303eafec816d1f7d53847aba234b3df06ee8356dce15339b0bd53d3c0e671889
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62e83ff613cf7e0c6914a0449e0ad6475a81f3d2e6a598e7b544edde691620a4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07218021A08A5281EB30AB35A80516AF761AB86BF4FD44772EA7D47BE5DE3CD4018718
                                                                                                                                                                                                                            Function 00007FF798C477B0 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Initialize__scrt_fastfail__scrt_initialize_default_local_stdio_options_invalid_parameter_noinfo_onexit_set_fmode
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2724578021-0
                                                                                                                                                                                                                            • Opcode ID: 59f558a869d8c5a2891d93cde5f61cf3a556da39cfb7dd89c65c92046b5ebcbe
                                                                                                                                                                                                                            • Instruction ID: 51f32a4784e4869aa9a35d8d384f95a5f04019eeb4e00dded83fa185b95c4456
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 59f558a869d8c5a2891d93cde5f61cf3a556da39cfb7dd89c65c92046b5ebcbe
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04118A21E1820741FA7477B144222F9D1979F97384FC924F4E50EA66C3ED6CA8C1867E
                                                                                                                                                                                                                            Function 00007FF798C42BD0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: MachineNode_$Connect_Disconnect_Locate_Reenumerate_
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 218754429-0
                                                                                                                                                                                                                            • Opcode ID: 51e3b3903d85c558772266e626df222a9037cd96535ea5ab3710ae0d24f20ba0
                                                                                                                                                                                                                            • Instruction ID: dfc05f450d862a9ac0bdd83cc5cc4b91e3a89379caa9353737082f56acfec9d0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 51e3b3903d85c558772266e626df222a9037cd96535ea5ab3710ae0d24f20ba0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC11B422B0C68282F734EB71E44157AE3A2FFC9B84FD98171DA8D47A58EF2CD941C614
                                                                                                                                                                                                                            Function 00007FF798C4AF10 Relevance: 6.0, APIs: 4, Instructions: 45COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: HeapManager::getMemoryName::operator+=Name::operator=
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2929307750-0
                                                                                                                                                                                                                            • Opcode ID: fce481929f355538a9b42238b523bc7f3f2660cc8b7c85b8c5e9693f606264b3
                                                                                                                                                                                                                            • Instruction ID: 7bdfa301a6512d188cfe4c4eb90fb7e9aaa2e9fd9ed0074e2f5cd93f93fdfc97
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fce481929f355538a9b42238b523bc7f3f2660cc8b7c85b8c5e9693f606264b3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F1106B1A0968242FB316770E480579E392EF02BC0FDC84B1D94C07686DE2DE8D18718
                                                                                                                                                                                                                            Function 00007FF798C8E438 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FilePointer$ErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 142388799-0
                                                                                                                                                                                                                            • Opcode ID: 5218c0f678f2c40fbbdda99fcc7e3f762700fa66660efab7cd38c83b84687fb8
                                                                                                                                                                                                                            • Instruction ID: dbabbde648fb8dff89a54b9a944b0c91107ea9ac8a186a364140f88505d2d23c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5218c0f678f2c40fbbdda99fcc7e3f762700fa66660efab7cd38c83b84687fb8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E118632A0C64181E730AB75B80556AF7A0FF86B94FD44571EA9D43FA4DF3CD4448B18
                                                                                                                                                                                                                            Function 00007FF798C60C54 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 176COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: *
                                                                                                                                                                                                                            • API String ID: 3215553584-163128923
                                                                                                                                                                                                                            • Opcode ID: c702a447af3feb003120d3a589a2401bc16d95218c9ee08842c12031ba723851
                                                                                                                                                                                                                            • Instruction ID: 6220c9ec89dde12d3a07d5a082b1cf363464d2deb7f8db5204bdbc7b27e2044d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c702a447af3feb003120d3a589a2401bc16d95218c9ee08842c12031ba723851
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04719772D08A2386D778AF38805413CF7A0EB06B59FD41179DA8EB229CDF79D441C768
                                                                                                                                                                                                                            Function 00007FF798C604BC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 174COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: *
                                                                                                                                                                                                                            • API String ID: 3215553584-163128923
                                                                                                                                                                                                                            • Opcode ID: 273e77a1793748d35078b520fc40068adaf46b422db4c706b51f3ef3c241a5fe
                                                                                                                                                                                                                            • Instruction ID: 365e5d21418e08e629a403c82a57394d39d88a06f59000259eb81168456ebecf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 273e77a1793748d35078b520fc40068adaf46b422db4c706b51f3ef3c241a5fe
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5C719872909A1386E778AF38805507DF7A0EB56B18FD41179DE4AB229DDF28D881C72C
                                                                                                                                                                                                                            Function 00007FF798C61190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 171COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: *
                                                                                                                                                                                                                            • API String ID: 3215553584-163128923
                                                                                                                                                                                                                            • Opcode ID: 44c1df76ee1ff000bf001b99eeb66820c451a0d8bf2018bec658e7c217c0f5f6
                                                                                                                                                                                                                            • Instruction ID: 5a0d33e1792186996b5ad4be0c68d9f247da9f17ae77351defa97a66007f2e08
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44c1df76ee1ff000bf001b99eeb66820c451a0d8bf2018bec658e7c217c0f5f6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A719272908A1386E774AF39C04407CFBB0FB06B5AFE411B7CA4B42698DF29D541C768
                                                                                                                                                                                                                            Function 00007FF798C609E8 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 169COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: *
                                                                                                                                                                                                                            • API String ID: 3215553584-163128923
                                                                                                                                                                                                                            • Opcode ID: 0377a43a123b46e862bf5f185707fa53883c6999a2b7e98940989a3650cad85b
                                                                                                                                                                                                                            • Instruction ID: 7699a0fb9df6605e7ed755dc6ce8a8e382c081feaba1f7900ebabf6c6d2bbe01
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0377a43a123b46e862bf5f185707fa53883c6999a2b7e98940989a3650cad85b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD719772908A1386E7746F39804407DFBA0FB46B58FD89175DA49B329DDF38D481CB29
                                                                                                                                                                                                                            Function 00007FF798C70610 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 111COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • _invalid_parameter_noinfo.LIBCMT ref: 00007FF798C70642
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C779F8: HeapFree.KERNEL32(?,?,?,00007FF798C832DC,?,?,?,00007FF798C836FF,?,?,00000000,00007FF798C83F44,?,?,?,00007FF798C83E77), ref: 00007FF798C77A0E
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C779F8: GetLastError.KERNEL32(?,?,?,00007FF798C832DC,?,?,?,00007FF798C836FF,?,?,00000000,00007FF798C83F44,?,?,?,00007FF798C83E77), ref: 00007FF798C77A20
                                                                                                                                                                                                                            • GetModuleFileNameW.KERNEL32(?,?,?,?,?,00007FF798C47805), ref: 00007FF798C70660
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe, xrefs: 00007FF798C7064E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorFileFreeHeapLastModuleName_invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe
                                                                                                                                                                                                                            • API String ID: 3580290477-2985852448
                                                                                                                                                                                                                            • Opcode ID: b063ccabdf4ae0fb810ec30d9af89ab26e9ed12f878b4f8ead2f3c050a887b6f
                                                                                                                                                                                                                            • Instruction ID: 57146e24fa2b2775f0d8550da157176fedbecc850ab86b27d26a83b3197c5618
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b063ccabdf4ae0fb810ec30d9af89ab26e9ed12f878b4f8ead2f3c050a887b6f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0419036A08B028AEB64FF35A8410BDE3A5EF467D0BD44075ED4E97B95DE3CE4808724
                                                                                                                                                                                                                            Function 00007FF798C6FD7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe, xrefs: 00007FF798C6FDBF
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: C:\Program Files\FastestVPN\Resources\driver\windows10\amd64\tapinstall.exe
                                                                                                                                                                                                                            • API String ID: 3215553584-2985852448
                                                                                                                                                                                                                            • Opcode ID: e29d975727e9928f6db482a1ce53242b1b870c676fb5658a615ffb6c2a7e9428
                                                                                                                                                                                                                            • Instruction ID: 413d6efbbde470da0a9bf68612f9ed3f3e07449d3af1605758bfbdc60b99bdef
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e29d975727e9928f6db482a1ce53242b1b870c676fb5658a615ffb6c2a7e9428
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0741B232A18A138AEB64AF35A8400B8F794EB467D4FD44072E94D87B95DE3CE4808324
                                                                                                                                                                                                                            Function 00007FF798C86F00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 100fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorFileLastWrite
                                                                                                                                                                                                                            • String ID: U
                                                                                                                                                                                                                            • API String ID: 442123175-4171548499
                                                                                                                                                                                                                            • Opcode ID: 1fe9f3420805e2f29ef7fd3f085adcd01cfbc63ee96cabacd67f80ead1b7df33
                                                                                                                                                                                                                            • Instruction ID: 896e92466c3fd2ab9aa85fbaccadf9bd442b4d44112f42e76cb4caf33682a9be
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1fe9f3420805e2f29ef7fd3f085adcd01cfbc63ee96cabacd67f80ead1b7df33
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5741A232A18A4286DB209F35E4447AAE7A1FB99794FC04131EE4E87798EF3CD441C754
                                                                                                                                                                                                                            Function 00007FF798C663EC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: (null)
                                                                                                                                                                                                                            • API String ID: 3215553584-3941151225
                                                                                                                                                                                                                            • Opcode ID: 6c3bdb81d6503200fbc9806bbd4de99d2cd9e2aec5a58b5ddbe94e3352eb6c76
                                                                                                                                                                                                                            • Instruction ID: 89d3cffc62b781c61e9309281ce4bdf40a578aafa894aa57fd18ffea670c6007
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c3bdb81d6503200fbc9806bbd4de99d2cd9e2aec5a58b5ddbe94e3352eb6c76
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7E419E72908A8386EB75AF38C14167CF7A0EB16B48FD440B9E74907399DF2AE441D728
                                                                                                                                                                                                                            Function 00007FF798C661AC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 91COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: (null)
                                                                                                                                                                                                                            • API String ID: 3215553584-3941151225
                                                                                                                                                                                                                            • Opcode ID: 86f5d118cb039ec818438e09ce49581f3b3a508989dcbeb2b4f251bb552b9fde
                                                                                                                                                                                                                            • Instruction ID: 09a7cf54f12a5ef564f00d48dd24f61c5d6377cc2051935a4dec4f4f9f43aaf6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 86f5d118cb039ec818438e09ce49581f3b3a508989dcbeb2b4f251bb552b9fde
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1E418F72908A4386EBB46F38C14467CF7A0EB17B48FD440B9EA4847395DF3AE456D728
                                                                                                                                                                                                                            Function 00007FF798C493B8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: EntryInterlockedListNamePush__un
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 524438517-3916222277
                                                                                                                                                                                                                            • Opcode ID: 417fdae7254f6f5144bd35c4e94cf888892e231184d73a789330c72b6a667246
                                                                                                                                                                                                                            • Instruction ID: a9e22f357857ce42a726b700d52fba3aaf211bb5a03bc278514df25c869f4f89
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 417fdae7254f6f5144bd35c4e94cf888892e231184d73a789330c72b6a667246
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5312812B29BA150EB25EB36D404069E391FB4AFE4BDC4675DD2D03790DE39D885C328
                                                                                                                                                                                                                            Function 00007FF798C66634 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: (null)
                                                                                                                                                                                                                            • API String ID: 3215553584-3941151225
                                                                                                                                                                                                                            • Opcode ID: 8d16575f416e964c397b675debac7c57f087c1fd9fd9ac565c228dc38de02ea8
                                                                                                                                                                                                                            • Instruction ID: 9f86210a5ea7af313dbeb1c1a98674a122ae08242a6d2c49f5b54abfa98e5661
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8d16575f416e964c397b675debac7c57f087c1fd9fd9ac565c228dc38de02ea8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 87319EB2908A4285EB64AF35D14067CF7A0EB16B58FD040BAEB4D07394DF3AE452C728
                                                                                                                                                                                                                            Function 00007FF798C6686C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 80COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _invalid_parameter_noinfo
                                                                                                                                                                                                                            • String ID: (null)
                                                                                                                                                                                                                            • API String ID: 3215553584-3941151225
                                                                                                                                                                                                                            • Opcode ID: cc2c6a8b0e55809a46d0f9a000170ec88b53eaf67deeeed0a9ebb9cf96cbfb4a
                                                                                                                                                                                                                            • Instruction ID: 275e470183bbf1c5dca42cc0a6fb01664d14b321014e50f9c48781a483c0b1a6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc2c6a8b0e55809a46d0f9a000170ec88b53eaf67deeeed0a9ebb9cf96cbfb4a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C318E72908A42C5EBA4AF35D10067CF7A0EB06B48FD44179EA8C07795DF3AE452D728
                                                                                                                                                                                                                            Function 00007FF798C92648 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: _set_errno_from_matherr
                                                                                                                                                                                                                            • String ID: exp
                                                                                                                                                                                                                            • API String ID: 1187470696-113136155
                                                                                                                                                                                                                            • Opcode ID: d5f934b609bcad54c18539aeaafe18b7f7d4df74e02c91daf66fb3b3797701d8
                                                                                                                                                                                                                            • Instruction ID: cc5164d6a8229450f86cdd5acdbb0c255987f84754e0abbc1b440c147adfd9a8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d5f934b609bcad54c18539aeaafe18b7f7d4df74e02c91daf66fb3b3797701d8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06210A26A19641CBE764EB38A44016AE2A0FB8A300F9005B5E69D83B56EE3DE4408F14
                                                                                                                                                                                                                            Function 00007FF798C78EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Stringtry_get_function
                                                                                                                                                                                                                            • String ID: LCMapStringEx
                                                                                                                                                                                                                            • API String ID: 2588686239-3893581201
                                                                                                                                                                                                                            • Opcode ID: cb295809db890668f8262a5fe3d3b6ddd0daf1558d4252fdccb92730558150a5
                                                                                                                                                                                                                            • Instruction ID: 0800a2494cda554506091c775fa133f9e87882b39c600c8b3868e45ef520b0f3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb295809db890668f8262a5fe3d3b6ddd0daf1558d4252fdccb92730558150a5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07112932608B8186D7609F25B4402AAF7A5FBC9B90F944176EE8D93B19DF3CD5508B08
                                                                                                                                                                                                                            Function 00007FF798C787B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 50COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CompareStringtry_get_function
                                                                                                                                                                                                                            • String ID: CompareStringEx
                                                                                                                                                                                                                            • API String ID: 3328479835-2590796910
                                                                                                                                                                                                                            • Opcode ID: b4cbd51ef5490bc2d2e272553a4ec6addf4d60e5b84b1302dc18e736ddf69fb6
                                                                                                                                                                                                                            • Instruction ID: fddee61dfb2b53fd2e37b5fb965285f2714a84b0c654086a03f28331a0e4216a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b4cbd51ef5490bc2d2e272553a4ec6addf4d60e5b84b1302dc18e736ddf69fb6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B112936A08B8186D7609F65B4402AAF7A0FB89B90F944176EE8D93B19DF3CD4408B08
                                                                                                                                                                                                                            Function 00007FF798C78A50 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DateFormattry_get_function
                                                                                                                                                                                                                            • String ID: GetDateFormatEx
                                                                                                                                                                                                                            • API String ID: 595753042-159735388
                                                                                                                                                                                                                            • Opcode ID: 10ba63a0d18b04a583d40d43b30d9b9fca51ff14bda4a48675f954ae51532e04
                                                                                                                                                                                                                            • Instruction ID: e50a6564379318d4aa9fa18f6ee9c6a2e369f2f6426a767e35922e57c949c0ea
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 10ba63a0d18b04a583d40d43b30d9b9fca51ff14bda4a48675f954ae51532e04
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E116031A08B8186E620DF65F4400AAF7A0FB89BD4F984175EF8D53B28DF3CD5508B58
                                                                                                                                                                                                                            Function 00007FF798C78C10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44timeCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: FormatTimetry_get_function
                                                                                                                                                                                                                            • String ID: GetTimeFormatEx
                                                                                                                                                                                                                            • API String ID: 3261793192-1692793031
                                                                                                                                                                                                                            • Opcode ID: aeeeb5d1137ef8777056a49e071640647c3087b2b7666cf388f882a4f27613d1
                                                                                                                                                                                                                            • Instruction ID: 557d9ce5e671a683ca4c63fadde99b118ddccd343550d24c8b27be880c6d17ef
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aeeeb5d1137ef8777056a49e071640647c3087b2b7666cf388f882a4f27613d1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71114F25A0878186E7209F66B40006AF7A0FB89BD0F984176EF8D53B69DF3CD5548B18
                                                                                                                                                                                                                            Function 00007FF798C78CBC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: DefaultUsertry_get_function
                                                                                                                                                                                                                            • String ID: GetUserDefaultLocaleName
                                                                                                                                                                                                                            • API String ID: 3217810228-151340334
                                                                                                                                                                                                                            • Opcode ID: 40f2b170c37b226c28a728e1fb59e4eb6a38f080f95f7a64a26471c64eab7d17
                                                                                                                                                                                                                            • Instruction ID: 1dbfdbc649dd3976f7cdf5004a84b3089b4fbf213ab6e677a146883837479827
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40f2b170c37b226c28a728e1fb59e4eb6a38f080f95f7a64a26471c64eab7d17
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7F05E11B1854292EB246B75A5805B9E251BF4A7C0FC440B5DA0E16B55EE2D9845832C
                                                                                                                                                                                                                            Function 00007FF798C78D74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CountCriticalInitializeSectionSpintry_get_function
                                                                                                                                                                                                                            • String ID: InitializeCriticalSectionEx
                                                                                                                                                                                                                            • API String ID: 539475747-3084827643
                                                                                                                                                                                                                            • Opcode ID: 036a1433a8a1f8b3f241dbe4fb9b563d765e8a3562a01f57a6fbde3195910b39
                                                                                                                                                                                                                            • Instruction ID: 52d3261144baf0cf0b3adce01316527bfdd566cf279c0de7864d0352b5e17c65
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 036a1433a8a1f8b3f241dbe4fb9b563d765e8a3562a01f57a6fbde3195910b39
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5DF0BE21A18A4292EA24BB61F5000A8E220FF49B80FC440F5DA1E13B44DF3DE8858368
                                                                                                                                                                                                                            Function 00007FF798C48A74 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • std::bad_alloc::bad_alloc.LIBCMT ref: 00007FF798C48A7D
                                                                                                                                                                                                                            • _CxxThrowException.LIBVCRUNTIME ref: 00007FF798C48A8E
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C495E8: RtlPcToFileHeader.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF798C48A93), ref: 00007FF798C4965D
                                                                                                                                                                                                                              • Part of subcall function 00007FF798C495E8: RaiseException.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00007FF798C48A93), ref: 00007FF798C4968F
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Exception$FileHeaderRaiseThrowstd::bad_alloc::bad_alloc
                                                                                                                                                                                                                            • String ID: Unknown exception
                                                                                                                                                                                                                            • API String ID: 3561508498-410509341
                                                                                                                                                                                                                            • Opcode ID: c34982857cb7bf4f7b9c185461aa535e310ed63d4d8e15e87b28d440cdfdae32
                                                                                                                                                                                                                            • Instruction ID: e7d7db4db7461d900af53511ba62cf9bde522f7441035059db7ce08cf809336d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c34982857cb7bf4f7b9c185461aa535e310ed63d4d8e15e87b28d440cdfdae32
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06D05B12618585D1EE20FB60D440394E331FBD5304FE445B1E14C41575DF6DD68AC754
                                                                                                                                                                                                                            Function 00007FF798C789FC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C78A25
                                                                                                                                                                                                                            • TlsSetValue.KERNEL32(?,?,00000000,00007FF798C777AE,?,?,00000000,00007FF798C76B85,?,?,?,?,00007FF798C56CA8), ref: 00007FF798C78A3C
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Valuetry_get_function
                                                                                                                                                                                                                            • String ID: FlsSetValue
                                                                                                                                                                                                                            • API String ID: 738293619-3750699315
                                                                                                                                                                                                                            • Opcode ID: f6d5dd2663f4e630c5fdec50bbb7cd7a8c87450e82d038accba4aa9b3675ea98
                                                                                                                                                                                                                            • Instruction ID: 68772b6b42252d41f6c020d7ec78fb0e08b9699b30b1653e76c2f8d6da00d426
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f6d5dd2663f4e630c5fdec50bbb7cd7a8c87450e82d038accba4aa9b3675ea98
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24E06561A1854391FB246B70F8000B8E221EF89790FC850F6DA1D06754DE3DD494832C
                                                                                                                                                                                                                            Function 00007FF798C4A544 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • try_get_function.LIBVCRUNTIME ref: 00007FF798C4A56D
                                                                                                                                                                                                                            • TlsSetValue.KERNEL32(?,?,?,00007FF798C49CC5,?,?,?,?,00007FF798C491A4,?,?,?,?,00007FF798C4814B), ref: 00007FF798C4A584
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000000A.00000002.2471972370.00007FF798C41000.00000020.00000001.01000000.00000008.sdmp, Offset: 00007FF798C40000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2471946587.00007FF798C40000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472040603.00007FF798C94000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472070922.00007FF798CA7000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000000A.00000002.2472117462.00007FF798CAA000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_7ff798c40000_tapinstall.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Valuetry_get_function
                                                                                                                                                                                                                            • String ID: FlsSetValue
                                                                                                                                                                                                                            • API String ID: 738293619-3750699315
                                                                                                                                                                                                                            • Opcode ID: 620ae2d36bd9a72b075ae6d885032ef81b4224fd675c2c0689d5fc8c746a91d4
                                                                                                                                                                                                                            • Instruction ID: 0be17ffe85f7b0a02f6ee1aca175debe2ab0148d4d2fd8a3d7d4012600eda40c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 620ae2d36bd9a72b075ae6d885032ef81b4224fd675c2c0689d5fc8c746a91d4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A6E06562A08943E1EB297B71F5404B8E322AF89780FCD40F5D91D06254DE3DD494C328

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:1.2%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                                                            Signature Coverage:2.9%
                                                                                                                                                                                                                            Total number of Nodes:2000
                                                                                                                                                                                                                            Total number of Limit Nodes:28
                                                                                                                                                                                                                            execution_graph 15570 100134a0 15582 10013240 15570->15582 15572 100134b2 OpenSCManagerA 15573 100134ca OpenServiceA 15572->15573 15574 1001350f GetLastError 15572->15574 15575 100134dd DeleteService GetLastError CloseServiceHandle CloseServiceHandle 15573->15575 15576 100134fe GetLastError CloseServiceHandle 15573->15576 15577 10013517 SetLastError 15574->15577 15575->15577 15576->15577 15612 10012d70 RegOpenKeyExA 15577->15612 15579 10013525 15617 10012d00 RegOpenKeyExA 15579->15617 15581 1001352c 15620 10012f40 15582->15620 15584 10013266 15610 1001348c 15584->15610 15632 10012e20 RegOpenKeyExA 15584->15632 15586 10013281 15589 1001329f 15586->15589 15590 1001330e 15586->15590 15586->15610 15587 100132bc 15587->15610 15652 10007b2f 15587->15652 15588 10013341 15592 10012f40 107 API calls 15588->15592 15589->15587 15648 10008360 15589->15648 15590->15588 15591 10012f40 107 API calls 15590->15591 15591->15588 15594 1001336f 15592->15594 15597 10012f40 107 API calls 15594->15597 15602 10013386 15594->15602 15595 10013303 15595->15572 15597->15602 15599 10012e20 75 API calls 15599->15587 15600 100133f5 15604 10008360 _memmove_s __VEC_memcpy 15600->15604 15611 100133ea 15600->15611 15601 1001342b RegOpenKeyExA 15603 10013482 15601->15603 15605 10013448 RegSetValueExA RegCloseKey 15601->15605 15602->15600 15606 100133b9 15602->15606 15607 10007b2f __output_l 67 API calls 15603->15607 15603->15610 15604->15611 15605->15603 15606->15601 15606->15603 15608 10008360 _memmove_s __VEC_memcpy 15606->15608 15607->15610 15608->15611 15610->15572 15611->15601 15613 10012d90 15612->15613 15614 10012d96 RegQueryValueExA 15612->15614 15613->15579 15615 10012dc3 RegSetValueExA RegCloseKey 15614->15615 15615->15579 15618 10012d25 RegSetValueExA RegCloseKey 15617->15618 15619 10012d1f 15617->15619 15618->15581 15619->15581 15665 10008877 15620->15665 15623 10012f93 15680 10007ccf 15623->15680 15624 10012fab 15626 10012fb5 RegQueryValueExA 15624->15626 15627 10012fdc RegSetValueExA 15624->15627 15629 10012ff3 RegCloseKey 15626->15629 15627->15629 15628 10012fa4 15628->15584 15630 10007ccf __output_l 5 API calls 15629->15630 15631 10013016 15630->15631 15631->15584 15633 10012e43 15632->15633 15634 10012e4a 15632->15634 15633->15586 15635 10012e56 RegQueryValueExA 15634->15635 15636 10012eef RegSetValueExA 15634->15636 15637 10012e76 RegCloseKey 15635->15637 15638 10012e89 15635->15638 15642 10012f20 RegCloseKey 15636->15642 15637->15586 16393 10007c0c 15638->16393 15641 10012e94 15643 10012eb0 RegQueryValueExA 15641->15643 15644 10012e9d RegCloseKey 15641->15644 15642->15586 15643->15642 15645 10012ecb RegCloseKey 15643->15645 15644->15586 15646 10007b2f __output_l 67 API calls 15645->15646 15647 10012ede 15646->15647 15647->15586 15649 10008378 15648->15649 15650 1000839f __VEC_memcpy 15649->15650 15651 100083a7 15649->15651 15650->15651 15651->15599 15653 10007b3b __ioinit 15652->15653 15654 10007b7a 15653->15654 15655 10007bb4 __dosmaperr __ioinit 15653->15655 15657 10009513 __lock 65 API calls 15653->15657 15654->15655 15656 10007b8f HeapFree 15654->15656 15655->15595 15656->15655 15658 10007ba1 15656->15658 15660 10007b52 ___sbh_find_block 15657->15660 15659 10009230 __output_l 65 API calls 15658->15659 15661 10007ba6 GetLastError 15659->15661 15662 10007b6c 15660->15662 16423 100095b7 15660->16423 15661->15655 16430 10007b85 15662->16430 15666 100088a2 15665->15666 15667 10008885 15665->15667 15669 100088ce 15666->15669 15671 100088b1 15666->15671 15688 10009230 15667->15688 15694 1000bd21 15669->15694 15674 10009230 __output_l 67 API calls 15671->15674 15675 100088b6 15674->15675 15678 100082eb __output_l 67 API calls 15675->15678 15676 100088fc 15677 1000889a RegOpenKeyExA 15676->15677 15738 1000ba9e 15676->15738 15677->15623 15677->15624 15678->15677 15681 10007cd7 15680->15681 15682 10007cd9 IsDebuggerPresent 15680->15682 15681->15628 16392 1000b918 15682->16392 15685 1000a802 SetUnhandledExceptionFilter UnhandledExceptionFilter 15686 1000a827 GetCurrentProcess TerminateProcess 15685->15686 15687 1000a81f __invoke_watson 15685->15687 15686->15628 15687->15686 15759 1000aaf7 GetLastError 15688->15759 15690 1000888a 15691 100082eb 15690->15691 15692 1000a91e __output_l 67 API calls 15691->15692 15693 100082f9 __invoke_watson 15692->15693 15980 1000bbfe 15694->15980 15697 1000bd81 15698 10009230 __output_l 67 API calls 15697->15698 15727 1000bd86 15698->15727 15699 1000be42 15699->15697 15715 1000be67 __output_l __aulldvrm _strlen 15699->15715 15701 1000bdc1 15703 1000bdef 15701->15703 15705 100106d0 __output_l 67 API calls 15701->15705 15702 100082eb __output_l 67 API calls 15704 1000bd96 15702->15704 15703->15697 15708 100106d0 __output_l 67 API calls 15703->15708 15706 10007ccf __output_l 5 API calls 15704->15706 15707 1000bdcf 15705->15707 15709 1000c68d 15706->15709 15707->15703 15711 100106d0 __output_l 67 API calls 15707->15711 15710 1000be14 15708->15710 15709->15676 15710->15699 15716 100106d0 __output_l 67 API calls 15710->15716 15712 1000bddd 15711->15712 15714 100106d0 __output_l 67 API calls 15712->15714 15714->15703 15715->15704 15718 1000bc80 101 API calls __output_l 15715->15718 15720 1000c656 15715->15720 15723 10007b2f __output_l 67 API calls 15715->15723 15726 1000bcb3 101 API calls _write_multi_char 15715->15726 15729 1000c0d7 15715->15729 15730 10010872 79 API calls _wctomb_s 15715->15730 15737 1000bcd7 101 API calls _write_string 15715->15737 15995 1001088d 15715->15995 15717 1000be22 15716->15717 15717->15699 15719 100106d0 __output_l 67 API calls 15717->15719 15718->15715 15721 1000be30 15719->15721 15725 10009230 __output_l 67 API calls 15720->15725 15724 100106d0 __output_l 67 API calls 15721->15724 15722 1000c0ff 15728 1000a91e __output_l 67 API calls 15722->15728 15723->15715 15724->15699 15725->15727 15726->15715 15727->15702 15733 1000c346 15728->15733 15729->15722 15731 1000b155 __malloc_crt 67 API calls 15729->15731 15730->15715 15731->15722 15732 1000c36c 15734 1000c38b 15732->15734 15736 1000a91e __output_l 67 API calls 15732->15736 15733->15732 15735 1000a91e __output_l 67 API calls 15733->15735 15734->15676 15735->15732 15736->15734 15737->15715 15739 100106d0 __output_l 67 API calls 15738->15739 15740 1000baac 15739->15740 15741 1000bab7 15740->15741 15742 1000bace 15740->15742 15743 10009230 __output_l 67 API calls 15741->15743 15744 1000bad2 15742->15744 15752 1000badf __flsbuf 15742->15752 15746 1000babc 15743->15746 15745 10009230 __output_l 67 API calls 15744->15745 15745->15746 15746->15677 15747 1000bbcd 15749 100103b1 __locking 101 API calls 15747->15749 15748 1000bb4d 15750 1000bb64 15748->15750 15754 1000bb81 15748->15754 15749->15746 16219 100103b1 15750->16219 15752->15746 15755 1000bb34 15752->15755 15758 1000bb3f 15752->15758 16206 100104d1 15752->16206 15754->15746 16244 1000fc76 15754->16244 15755->15758 16216 1001048d 15755->16216 15758->15747 15758->15748 15773 1000a9b0 TlsGetValue 15759->15773 15762 1000ab62 SetLastError 15762->15690 15767 1000ab41 15793 1000aa38 15767->15793 15768 1000ab59 15770 10007b2f __output_l 64 API calls 15768->15770 15772 1000ab5f 15770->15772 15771 1000ab49 GetCurrentThreadId 15771->15762 15772->15762 15774 1000a9c3 15773->15774 15775 1000a9de 15773->15775 15776 1000a91e __output_l 65 API calls 15774->15776 15775->15762 15778 1000b195 15775->15778 15777 1000a9ce TlsSetValue 15776->15777 15777->15775 15780 1000b199 15778->15780 15781 1000ab20 15780->15781 15782 1000b1b9 Sleep 15780->15782 15807 1000f6fc 15780->15807 15781->15762 15783 1000a91e TlsGetValue 15781->15783 15782->15780 15784 1000a931 15783->15784 15785 1000a952 GetModuleHandleA 15783->15785 15784->15785 15788 1000a93b TlsGetValue 15784->15788 15786 1000a963 15785->15786 15787 1000a94a 15785->15787 15951 1000a83b 15786->15951 15787->15767 15787->15768 15791 1000a946 15788->15791 15790 1000a968 15790->15787 15792 1000a96c GetProcAddress 15790->15792 15791->15785 15791->15787 15792->15787 15963 1000a044 15793->15963 15795 1000aa44 GetModuleHandleA 15796 1000aa95 InterlockedIncrement 15795->15796 15797 1000aa66 15795->15797 15798 10009513 __lock 63 API calls 15796->15798 15799 1000a83b __output_l 63 API calls 15797->15799 15802 1000aabc 15798->15802 15800 1000aa6b 15799->15800 15800->15796 15801 1000aa6f GetProcAddress GetProcAddress 15800->15801 15801->15796 15964 1000ee79 InterlockedIncrement 15802->15964 15804 1000aadb 15976 1000aaee 15804->15976 15806 1000aae8 __ioinit 15806->15771 15808 1000f708 __ioinit 15807->15808 15809 1000f720 15808->15809 15819 1000f73f _memset 15808->15819 15810 10009230 __output_l 66 API calls 15809->15810 15811 1000f725 15810->15811 15812 100082eb __output_l 66 API calls 15811->15812 15816 1000f735 __ioinit 15812->15816 15813 1000f7b1 HeapAlloc 15813->15819 15816->15780 15819->15813 15819->15816 15820 10009513 15819->15820 15827 10009d60 15819->15827 15833 1000f7f8 15819->15833 15836 1000a715 15819->15836 15821 10009526 15820->15821 15822 10009539 EnterCriticalSection 15820->15822 15839 10009450 15821->15839 15822->15819 15824 1000952c 15824->15822 15865 1000a236 15824->15865 15829 10009d8c 15827->15829 15828 10009e25 15832 10009e2e 15828->15832 15946 1000997b 15828->15946 15829->15828 15829->15832 15939 100098cb 15829->15939 15832->15819 15950 1000943b LeaveCriticalSection 15833->15950 15835 1000f7ff 15835->15819 15837 1000a91e __output_l 67 API calls 15836->15837 15838 1000a720 15837->15838 15838->15819 15840 1000945c __ioinit 15839->15840 15841 10009482 15840->15841 15872 1000a6d2 15840->15872 15849 10009492 __ioinit 15841->15849 15918 1000b155 15841->15918 15847 100094b3 15852 10009513 __lock 67 API calls 15847->15852 15848 100094a4 15851 10009230 __output_l 67 API calls 15848->15851 15849->15824 15851->15849 15854 100094ba 15852->15854 15855 100094c2 15854->15855 15856 100094ee 15854->15856 15923 1000e5c6 15855->15923 15857 10007b2f __output_l 67 API calls 15856->15857 15859 100094df 15857->15859 15936 1000950a 15859->15936 15860 100094cd 15860->15859 15861 10007b2f __output_l 67 API calls 15860->15861 15863 100094d9 15861->15863 15864 10009230 __output_l 67 API calls 15863->15864 15864->15859 15866 1000a6d2 __FF_MSGBANNER 67 API calls 15865->15866 15867 1000a23b 15866->15867 15868 1000a532 _malloc 67 API calls 15867->15868 15869 1000a244 15868->15869 15870 1000a91e __output_l 67 API calls 15869->15870 15871 10009538 15870->15871 15871->15822 15873 1000ecf3 __FF_MSGBANNER 67 API calls 15872->15873 15874 1000a6d9 15873->15874 15875 1000ecf3 __FF_MSGBANNER 67 API calls 15874->15875 15877 1000a6e6 15874->15877 15875->15877 15876 1000a532 _malloc 67 API calls 15878 1000a6fe 15876->15878 15877->15876 15879 10009471 15877->15879 15880 1000a532 _malloc 67 API calls 15878->15880 15881 1000a532 15879->15881 15880->15879 15882 1000a53e 15881->15882 15883 1000ecf3 __FF_MSGBANNER 64 API calls 15882->15883 15913 10009478 15882->15913 15884 1000a55e 15883->15884 15885 1000a699 GetStdHandle 15884->15885 15887 1000ecf3 __FF_MSGBANNER 64 API calls 15884->15887 15886 1000a6a7 _strlen 15885->15886 15885->15913 15890 1000a6c1 WriteFile 15886->15890 15886->15913 15888 1000a56f 15887->15888 15888->15885 15889 1000a581 15888->15889 15891 1000b7b8 _strcpy_s 64 API calls 15889->15891 15889->15913 15890->15913 15892 1000a5a3 15891->15892 15893 1000a5b7 GetModuleFileNameA 15892->15893 15895 100081ef __invoke_watson 10 API calls 15892->15895 15894 1000a5d5 15893->15894 15900 1000a5f8 _strlen 15893->15900 15896 1000b7b8 _strcpy_s 64 API calls 15894->15896 15897 1000a5b4 15895->15897 15898 1000a5e5 15896->15898 15897->15893 15898->15900 15901 100081ef __invoke_watson 10 API calls 15898->15901 15899 1000a63b 15902 1000ebcf _strcat_s 64 API calls 15899->15902 15900->15899 15904 1000ec40 __crtLCMapStringW_stat 64 API calls 15900->15904 15901->15900 15903 1000a64e 15902->15903 15905 1000a65f 15903->15905 15907 100081ef __invoke_watson 10 API calls 15903->15907 15906 1000a628 15904->15906 15908 1000ebcf _strcat_s 64 API calls 15905->15908 15906->15899 15909 100081ef __invoke_watson 10 API calls 15906->15909 15907->15905 15910 1000a670 15908->15910 15909->15899 15911 100081ef __invoke_watson 10 API calls 15910->15911 15914 1000a681 15910->15914 15911->15914 15912 1000ea12 _malloc 64 API calls 15912->15913 15915 1000a280 15913->15915 15914->15912 15916 1000a25a ___crtCorExitProcess GetModuleHandleA GetProcAddress 15915->15916 15917 1000a289 ExitProcess 15916->15917 15922 1000b159 15918->15922 15919 10007c0c _malloc 66 API calls 15919->15922 15920 1000949d 15920->15847 15920->15848 15921 1000b171 Sleep 15921->15922 15922->15919 15922->15920 15922->15921 15924 1000e5d2 __ioinit 15923->15924 15925 1000a91e __output_l 65 API calls 15924->15925 15926 1000e5e2 15925->15926 15927 1000a2df ___crtInitCritSecAndSpinCount 65 API calls 15926->15927 15933 1000e636 __ioinit 15926->15933 15928 1000e5f2 15927->15928 15929 1000e601 15928->15929 15930 100081ef __invoke_watson 10 API calls 15928->15930 15931 1000e60a GetModuleHandleA 15929->15931 15932 1000e62b 15929->15932 15930->15929 15931->15932 15934 1000e619 GetProcAddress 15931->15934 15935 1000a8a7 __initp_misc_cfltcvt_tab 65 API calls 15932->15935 15933->15860 15934->15932 15935->15933 15937 1000943b _raise LeaveCriticalSection 15936->15937 15938 10009511 15937->15938 15938->15849 15940 10009912 HeapAlloc 15939->15940 15941 100098de HeapReAlloc 15939->15941 15943 100098fc 15940->15943 15944 10009935 VirtualAlloc 15940->15944 15942 10009900 15941->15942 15941->15943 15942->15940 15943->15828 15944->15943 15945 1000994f HeapFree 15944->15945 15945->15943 15947 10009990 VirtualAlloc 15946->15947 15949 100099d7 15947->15949 15949->15832 15950->15835 15956 1000a316 15951->15956 15953 1000a856 15954 1000a861 GetModuleHandleA 15953->15954 15955 1000a85d ___TypeMatch 15953->15955 15954->15955 15955->15790 15957 1000a321 15956->15957 15958 10009230 __output_l 67 API calls 15957->15958 15959 1000a346 15957->15959 15960 1000a326 15958->15960 15959->15953 15961 100082eb __output_l 67 API calls 15960->15961 15962 1000a336 15961->15962 15962->15953 15963->15795 15965 1000ee94 InterlockedIncrement 15964->15965 15966 1000ee97 15964->15966 15965->15966 15967 1000eea1 InterlockedIncrement 15966->15967 15968 1000eea4 15966->15968 15967->15968 15969 1000eeb1 15968->15969 15970 1000eeae InterlockedIncrement 15968->15970 15971 1000eebb InterlockedIncrement 15969->15971 15972 1000eebe 15969->15972 15970->15969 15971->15972 15973 1000eed3 InterlockedIncrement 15972->15973 15974 1000eee3 InterlockedIncrement 15972->15974 15975 1000eeec InterlockedIncrement 15972->15975 15973->15972 15974->15972 15975->15804 15979 1000943b LeaveCriticalSection 15976->15979 15978 1000aaf5 15978->15806 15979->15978 15981 1000bc0d 15980->15981 15985 1000bc5a 15980->15985 15998 1000ab6e 15981->15998 15984 1000bc3a 15984->15985 16018 1000f24d 15984->16018 15985->15697 15985->15699 15988 100106d0 15985->15988 15989 100106f8 15988->15989 15990 100106db 15988->15990 15989->15701 15991 10009230 __output_l 67 API calls 15990->15991 15992 100106e0 15991->15992 15993 100082eb __output_l 67 API calls 15992->15993 15994 100106f0 15993->15994 15994->15701 15996 1000bbfe _LocaleUpdate::_LocaleUpdate 77 API calls 15995->15996 15997 1001089e 15996->15997 15997->15715 15999 1000aaf7 _raise 67 API calls 15998->15999 16000 1000ab74 15999->16000 16001 1000ab81 16000->16001 16002 1000a236 __amsg_exit 67 API calls 16000->16002 16001->15984 16003 1000efc9 16001->16003 16002->16001 16004 1000efd5 __ioinit 16003->16004 16005 1000ab6e FindHandler 67 API calls 16004->16005 16006 1000efda 16005->16006 16007 1000f008 16006->16007 16008 1000efec 16006->16008 16009 10009513 __lock 67 API calls 16007->16009 16010 1000ab6e FindHandler 67 API calls 16008->16010 16011 1000f00f 16009->16011 16012 1000eff1 16010->16012 16034 1000ef8b 16011->16034 16016 1000a236 __amsg_exit 67 API calls 16012->16016 16017 1000efff __ioinit 16012->16017 16016->16017 16017->15984 16019 1000f259 __ioinit 16018->16019 16020 1000ab6e FindHandler 67 API calls 16019->16020 16021 1000f25e 16020->16021 16022 10009513 __lock 67 API calls 16021->16022 16029 1000f270 16021->16029 16023 1000f28e 16022->16023 16024 1000f2d7 16023->16024 16025 1000f2a5 InterlockedDecrement 16023->16025 16026 1000f2bf InterlockedIncrement 16023->16026 16202 1000f2e8 16024->16202 16025->16026 16031 1000f2b0 16025->16031 16026->16024 16028 1000a236 __amsg_exit 67 API calls 16030 1000f27e __ioinit 16028->16030 16029->16028 16029->16030 16030->15985 16031->16026 16032 10007b2f __output_l 67 API calls 16031->16032 16033 1000f2be 16032->16033 16033->16026 16035 1000ef8f 16034->16035 16041 1000efc1 16034->16041 16036 1000ee79 ___addlocaleref 8 API calls 16035->16036 16035->16041 16037 1000efa2 16036->16037 16037->16041 16045 1000eeff 16037->16045 16042 1000f033 16041->16042 16201 1000943b LeaveCriticalSection 16042->16201 16044 1000f03a 16044->16012 16046 1000ef87 16045->16046 16047 1000ef08 InterlockedDecrement 16045->16047 16046->16041 16059 1000ed39 16046->16059 16048 1000ef21 16047->16048 16049 1000ef1e InterlockedDecrement 16047->16049 16050 1000ef2b InterlockedDecrement 16048->16050 16051 1000ef2e 16048->16051 16049->16048 16050->16051 16052 1000ef38 InterlockedDecrement 16051->16052 16053 1000ef3b 16051->16053 16052->16053 16054 1000ef45 InterlockedDecrement 16053->16054 16056 1000ef48 16053->16056 16054->16056 16055 1000ef5d InterlockedDecrement 16055->16056 16056->16055 16057 1000ef6d InterlockedDecrement 16056->16057 16058 1000ef76 InterlockedDecrement 16056->16058 16057->16056 16058->16046 16060 1000edba 16059->16060 16062 1000ed4d 16059->16062 16061 10007b2f __output_l 67 API calls 16060->16061 16063 1000ee07 16060->16063 16064 1000eddb 16061->16064 16062->16060 16071 10007b2f __output_l 67 API calls 16062->16071 16085 1000ed81 16062->16085 16078 1000ee2e 16063->16078 16113 10010e30 16063->16113 16066 10007b2f __output_l 67 API calls 16064->16066 16068 1000edee 16066->16068 16073 10007b2f __output_l 67 API calls 16068->16073 16069 10007b2f __output_l 67 API calls 16075 1000edaf 16069->16075 16070 1000ee6d 16076 10007b2f __output_l 67 API calls 16070->16076 16077 1000ed76 16071->16077 16072 10007b2f __output_l 67 API calls 16072->16078 16079 1000edfc 16073->16079 16074 10007b2f __output_l 67 API calls 16080 1000ed97 16074->16080 16082 10007b2f __output_l 67 API calls 16075->16082 16083 1000ee73 16076->16083 16089 10011000 16077->16089 16078->16070 16081 10007b2f 67 API calls __output_l 16078->16081 16086 10007b2f __output_l 67 API calls 16079->16086 16105 10010fc0 16080->16105 16081->16078 16082->16060 16083->16041 16085->16074 16088 1000eda2 16085->16088 16086->16063 16088->16069 16090 10011086 16089->16090 16091 10011009 16089->16091 16090->16085 16092 1001101a 16091->16092 16093 10007b2f __output_l 67 API calls 16091->16093 16094 1001102c 16092->16094 16095 10007b2f __output_l 67 API calls 16092->16095 16093->16092 16096 1001103e 16094->16096 16097 10007b2f __output_l 67 API calls 16094->16097 16095->16094 16098 10011050 16096->16098 16099 10007b2f __output_l 67 API calls 16096->16099 16097->16096 16100 10011062 16098->16100 16101 10007b2f __output_l 67 API calls 16098->16101 16099->16098 16102 10011074 16100->16102 16103 10007b2f __output_l 67 API calls 16100->16103 16101->16100 16102->16090 16104 10007b2f __output_l 67 API calls 16102->16104 16103->16102 16104->16090 16106 10010fc9 16105->16106 16107 10010ffd 16105->16107 16108 10010fd9 16106->16108 16109 10007b2f __output_l 67 API calls 16106->16109 16107->16088 16110 10010feb 16108->16110 16111 10007b2f __output_l 67 API calls 16108->16111 16109->16108 16110->16107 16112 10007b2f __output_l 67 API calls 16110->16112 16111->16110 16112->16107 16114 10010e3d 16113->16114 16200 1000ee27 16113->16200 16115 10007b2f __output_l 67 API calls 16114->16115 16116 10010e45 16115->16116 16117 10007b2f __output_l 67 API calls 16116->16117 16118 10010e4d 16117->16118 16119 10007b2f __output_l 67 API calls 16118->16119 16120 10010e55 16119->16120 16121 10007b2f __output_l 67 API calls 16120->16121 16122 10010e5d 16121->16122 16123 10007b2f __output_l 67 API calls 16122->16123 16124 10010e65 16123->16124 16125 10007b2f __output_l 67 API calls 16124->16125 16126 10010e6d 16125->16126 16127 10007b2f __output_l 67 API calls 16126->16127 16128 10010e74 16127->16128 16129 10007b2f __output_l 67 API calls 16128->16129 16130 10010e7c 16129->16130 16131 10007b2f __output_l 67 API calls 16130->16131 16132 10010e84 16131->16132 16133 10007b2f __output_l 67 API calls 16132->16133 16134 10010e8c 16133->16134 16135 10007b2f __output_l 67 API calls 16134->16135 16136 10010e94 16135->16136 16137 10007b2f __output_l 67 API calls 16136->16137 16138 10010e9c 16137->16138 16139 10007b2f __output_l 67 API calls 16138->16139 16140 10010ea4 16139->16140 16141 10007b2f __output_l 67 API calls 16140->16141 16142 10010eac 16141->16142 16143 10007b2f __output_l 67 API calls 16142->16143 16144 10010eb4 16143->16144 16145 10007b2f __output_l 67 API calls 16144->16145 16146 10010ebc 16145->16146 16147 10007b2f __output_l 67 API calls 16146->16147 16148 10010ec7 16147->16148 16149 10007b2f __output_l 67 API calls 16148->16149 16150 10010ecf 16149->16150 16151 10007b2f __output_l 67 API calls 16150->16151 16152 10010ed7 16151->16152 16153 10007b2f __output_l 67 API calls 16152->16153 16154 10010edf 16153->16154 16155 10007b2f __output_l 67 API calls 16154->16155 16156 10010ee7 16155->16156 16157 10007b2f __output_l 67 API calls 16156->16157 16158 10010eef 16157->16158 16159 10007b2f __output_l 67 API calls 16158->16159 16160 10010ef7 16159->16160 16161 10007b2f __output_l 67 API calls 16160->16161 16162 10010eff 16161->16162 16200->16072 16201->16044 16205 1000943b LeaveCriticalSection 16202->16205 16204 1000f2ef 16204->16029 16205->16204 16207 100104e8 16206->16207 16208 100104da 16206->16208 16211 10010513 16207->16211 16212 10009230 __output_l 67 API calls 16207->16212 16209 10009230 __output_l 67 API calls 16208->16209 16210 100104df 16209->16210 16210->15755 16211->15755 16213 100104fc 16212->16213 16214 100082eb __output_l 67 API calls 16213->16214 16215 1001050c 16214->16215 16215->15755 16217 1000b155 __malloc_crt 67 API calls 16216->16217 16218 1001049d 16217->16218 16218->15758 16220 100103bd __ioinit 16219->16220 16221 100103e0 16220->16221 16222 100103c5 16220->16222 16224 100103ee 16221->16224 16227 1001042f 16221->16227 16276 10009243 16222->16276 16226 10009243 __locking 67 API calls 16224->16226 16229 100103f3 16226->16229 16279 10011917 16227->16279 16228 10009230 __output_l 67 API calls 16237 100103d2 __ioinit 16228->16237 16230 10009230 __output_l 67 API calls 16229->16230 16232 100103fa 16230->16232 16234 100082eb __output_l 67 API calls 16232->16234 16233 10010435 16235 10010442 16233->16235 16236 10010458 16233->16236 16234->16237 16289 1000fd8f 16235->16289 16239 10009230 __output_l 67 API calls 16236->16239 16237->15746 16241 1001045d 16239->16241 16240 10010450 16348 10010483 16240->16348 16242 10009243 __locking 67 API calls 16241->16242 16242->16240 16245 1000fc82 __ioinit 16244->16245 16246 1000fc93 16245->16246 16247 1000fcaf 16245->16247 16248 10009243 __locking 67 API calls 16246->16248 16249 1000fcbd 16247->16249 16251 1000fcde 16247->16251 16250 1000fc98 16248->16250 16252 10009243 __locking 67 API calls 16249->16252 16255 10009230 __output_l 67 API calls 16250->16255 16253 1000fd24 16251->16253 16254 1000fcfe 16251->16254 16256 1000fcc2 16252->16256 16258 10011917 ___lock_fhandle 68 API calls 16253->16258 16257 10009243 __locking 67 API calls 16254->16257 16269 1000fca0 __ioinit 16255->16269 16259 10009230 __output_l 67 API calls 16256->16259 16260 1000fd03 16257->16260 16261 1000fd2a 16258->16261 16262 1000fcc9 16259->16262 16263 10009230 __output_l 67 API calls 16260->16263 16264 1000fd53 16261->16264 16265 1000fd37 16261->16265 16266 100082eb __output_l 67 API calls 16262->16266 16268 1000fd0a 16263->16268 16267 10009230 __output_l 67 API calls 16264->16267 16270 1000fbf3 __lseeki64_nolock 69 API calls 16265->16270 16266->16269 16271 1000fd58 16267->16271 16272 100082eb __output_l 67 API calls 16268->16272 16269->15746 16273 1000fd48 16270->16273 16274 10009243 __locking 67 API calls 16271->16274 16272->16269 16388 1000fd85 16273->16388 16274->16273 16277 1000aaf7 _raise 67 API calls 16276->16277 16278 10009248 16277->16278 16278->16228 16280 10011923 __ioinit 16279->16280 16281 1001197e 16280->16281 16283 10009513 __lock 67 API calls 16280->16283 16282 10011983 EnterCriticalSection 16281->16282 16284 100119a0 __ioinit 16281->16284 16282->16284 16285 1001194f 16283->16285 16284->16233 16286 10011966 16285->16286 16288 1000e5c6 ___crtInitCritSecAndSpinCount 67 API calls 16285->16288 16351 100119ae 16286->16351 16288->16286 16290 1000fdcb 16289->16290 16334 1000fdc4 16289->16334 16291 1000fdf6 16290->16291 16292 1000fdcf 16290->16292 16295 1000fe38 16291->16295 16296 1000fe5e 16291->16296 16294 10009243 __locking 67 API calls 16292->16294 16293 10007ccf __output_l 5 API calls 16297 100103a9 16293->16297 16298 1000fdd4 16294->16298 16299 10009243 __locking 67 API calls 16295->16299 16300 1000fe75 16296->16300 16355 1000fbf3 16296->16355 16297->16240 16301 10009230 __output_l 67 API calls 16298->16301 16302 1000fe3d 16299->16302 16305 100104d1 __flsbuf 67 API calls 16300->16305 16304 1000fddb 16301->16304 16306 10009230 __output_l 67 API calls 16302->16306 16307 100082eb __output_l 67 API calls 16304->16307 16308 1000fe83 16305->16308 16309 1000fe46 16306->16309 16307->16334 16310 100100c5 16308->16310 16312 1000ab6e FindHandler 67 API calls 16308->16312 16311 100082eb __output_l 67 API calls 16309->16311 16313 10010300 WriteFile 16310->16313 16314 100100d5 16310->16314 16311->16334 16315 1000fe9e GetConsoleMode 16312->16315 16316 10010327 GetLastError 16313->16316 16321 100100aa 16313->16321 16317 10010179 16314->16317 16338 100100e3 16314->16338 16315->16310 16318 1000fec3 16315->16318 16316->16321 16335 10010185 16317->16335 16336 10010228 16317->16336 16318->16310 16319 1000fed2 GetConsoleCP 16318->16319 16319->16321 16346 1000feef 16319->16346 16320 10010363 16322 10009230 __output_l 67 API calls 16320->16322 16320->16334 16321->16320 16323 1001033c 16321->16323 16321->16334 16325 10010380 16322->16325 16327 10010344 16323->16327 16328 10010358 16323->16328 16324 10010133 WriteFile 16324->16316 16324->16338 16331 10009243 __locking 67 API calls 16325->16331 16326 1001027b WideCharToMultiByte 16326->16316 16333 100102ae WriteFile 16326->16333 16332 10009230 __output_l 67 API calls 16327->16332 16368 10009256 16328->16368 16329 100101de WriteFile 16329->16316 16329->16335 16331->16334 16339 10010349 16332->16339 16333->16336 16337 100102dc GetLastError 16333->16337 16334->16293 16335->16320 16335->16321 16335->16329 16336->16320 16336->16321 16336->16326 16336->16333 16337->16336 16338->16320 16338->16321 16338->16324 16341 10009243 __locking 67 API calls 16339->16341 16341->16334 16342 10010c66 79 API calls __locking 16342->16346 16343 100119d9 11 API calls __putwch_nolock 16343->16346 16344 1000ff8f WideCharToMultiByte 16344->16321 16345 1000ffba WriteFile 16344->16345 16345->16316 16345->16346 16346->16316 16346->16321 16346->16342 16346->16343 16346->16344 16347 1000fffc WriteFile 16346->16347 16365 100108c3 16346->16365 16347->16316 16347->16346 16387 100119b7 LeaveCriticalSection 16348->16387 16350 1001048b 16350->16237 16354 1000943b LeaveCriticalSection 16351->16354 16353 100119b5 16353->16281 16354->16353 16373 100118a6 16355->16373 16357 1000fc0f 16358 1000fc17 16357->16358 16359 1000fc28 SetFilePointer 16357->16359 16360 10009230 __output_l 67 API calls 16358->16360 16361 1000fc40 GetLastError 16359->16361 16362 1000fc1c 16359->16362 16360->16362 16361->16362 16363 1000fc4a 16361->16363 16362->16300 16364 10009256 __dosmaperr 67 API calls 16363->16364 16364->16362 16366 1001088d __isleadbyte_l 77 API calls 16365->16366 16367 100108ce 16366->16367 16367->16346 16369 10009243 __locking 67 API calls 16368->16369 16370 1000925c __dosmaperr 16369->16370 16371 10009230 __output_l 67 API calls 16370->16371 16372 10009270 16371->16372 16372->16334 16374 100118c6 16373->16374 16375 100118af 16373->16375 16377 10009243 __locking 67 API calls 16374->16377 16379 10011913 16374->16379 16376 10009243 __locking 67 API calls 16375->16376 16378 100118b4 16376->16378 16380 100118f4 16377->16380 16381 10009230 __output_l 67 API calls 16378->16381 16379->16357 16382 10009230 __output_l 67 API calls 16380->16382 16383 100118bc 16381->16383 16384 100118fb 16382->16384 16383->16357 16385 100082eb __output_l 67 API calls 16384->16385 16386 1001190b 16385->16386 16386->16357 16387->16350 16391 100119b7 LeaveCriticalSection 16388->16391 16390 1000fd8d 16390->16269 16391->16390 16392->15685 16394 10007cb9 16393->16394 16400 10007c1a 16393->16400 16395 1000a715 _malloc 66 API calls 16394->16395 16396 10007cbf 16395->16396 16398 10009230 __output_l 66 API calls 16396->16398 16397 1000a6d2 __FF_MSGBANNER 66 API calls 16397->16400 16399 10007cc5 16398->16399 16399->15641 16400->16397 16402 1000a532 _malloc 66 API calls 16400->16402 16403 10007c7d HeapAlloc 16400->16403 16404 1000a280 _malloc 3 API calls 16400->16404 16405 10007cb0 16400->16405 16406 10007ca4 16400->16406 16408 1000a715 _malloc 66 API calls 16400->16408 16409 10007ca2 16400->16409 16411 10007bbd 16400->16411 16402->16400 16403->16400 16404->16400 16405->15641 16407 10009230 __output_l 66 API calls 16406->16407 16407->16409 16408->16400 16410 10009230 __output_l 66 API calls 16409->16410 16410->16405 16412 10007bc9 __ioinit 16411->16412 16413 10007bfa __ioinit 16412->16413 16414 10009513 __lock 67 API calls 16412->16414 16413->16400 16415 10007bdf 16414->16415 16416 10009d60 ___sbh_alloc_block 5 API calls 16415->16416 16417 10007bea 16416->16417 16419 10007c03 16417->16419 16422 1000943b LeaveCriticalSection 16419->16422 16421 10007c0a 16421->16413 16422->16421 16424 100095f4 16423->16424 16429 10009896 16423->16429 16425 100097e0 VirtualFree 16424->16425 16424->16429 16426 10009844 16425->16426 16427 10009853 VirtualFree HeapFree 16426->16427 16426->16429 16428 10008360 _memmove_s __VEC_memcpy 16427->16428 16428->16429 16429->15662 16433 1000943b LeaveCriticalSection 16430->16433 16432 10007b8c 16432->15654 16433->16432 16434 10008cc4 16435 10008cd0 16434->16435 16436 10008ccb 16434->16436 16440 10008bce 16435->16440 16448 1000d7ad 16436->16448 16439 10008ce1 16441 10008bda __ioinit 16440->16441 16445 10008c27 ___DllMainCRTStartup 16441->16445 16446 10008c77 __ioinit 16441->16446 16452 100089f5 16441->16452 16443 10008c57 16444 100089f5 __CRT_INIT@12 163 API calls 16443->16444 16443->16446 16444->16446 16445->16443 16445->16446 16447 100089f5 __CRT_INIT@12 163 API calls 16445->16447 16446->16439 16447->16443 16449 1000d7d0 16448->16449 16450 1000d7dd GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 16448->16450 16449->16450 16451 1000d7d4 16449->16451 16450->16451 16451->16435 16453 10008a08 GetProcessHeap HeapAlloc 16452->16453 16454 10008b1f 16452->16454 16455 10008a2c GetVersionExA 16453->16455 16470 10008a25 16453->16470 16456 10008b25 16454->16456 16457 10008b5a 16454->16457 16458 10008a47 GetProcessHeap HeapFree 16455->16458 16459 10008a3c GetProcessHeap HeapFree 16455->16459 16462 10008b44 16456->16462 16456->16470 16636 1000a4d7 16456->16636 16460 10008bb8 16457->16460 16461 10008b5f 16457->16461 16463 10008a73 16458->16463 16459->16470 16460->16470 16639 1000aca7 16460->16639 16464 1000a9b0 __CRT_INIT@12 67 API calls 16461->16464 16469 1000d2b2 __CRT_INIT@12 68 API calls 16462->16469 16462->16470 16505 100092cf HeapCreate 16463->16505 16467 10008b64 16464->16467 16471 1000b195 __calloc_crt 67 API calls 16467->16471 16474 10008b4e 16469->16474 16470->16445 16475 10008b70 16471->16475 16472 10008aa9 16472->16470 16473 10008ab2 16472->16473 16515 1000ad10 GetModuleHandleA 16473->16515 16477 1000a9fb __mtterm 68 API calls 16474->16477 16475->16470 16478 1000a91e __output_l 67 API calls 16475->16478 16480 10008b53 16477->16480 16481 10008b8e 16478->16481 16479 10008ab7 __RTC_Initialize 16484 10008aca GetCommandLineA 16479->16484 16498 10008abb 16479->16498 16482 10009329 __heap_term 4 API calls 16480->16482 16485 10008b95 16481->16485 16486 10008bac 16481->16486 16482->16470 16554 1000d62a 16484->16554 16488 1000aa38 __CRT_INIT@12 67 API calls 16485->16488 16489 10007b2f __output_l 67 API calls 16486->16489 16491 10008b9c GetCurrentThreadId 16488->16491 16504 10008ac0 16489->16504 16491->16470 16493 10008ae4 16494 10008ae8 16493->16494 16600 1000d571 16493->16600 16594 1000a9fb 16494->16594 16548 10009329 16498->16548 16499 10008b08 16499->16504 16631 1000d2b2 16499->16631 16504->16470 16506 100092f2 16505->16506 16507 100092ef 16505->16507 16650 10009274 16506->16650 16507->16472 16510 10009301 16659 10009544 HeapAlloc 16510->16659 16511 10009325 16511->16472 16514 10009310 HeapDestroy 16514->16507 16516 1000ad22 16515->16516 16517 1000ad2b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 16515->16517 16518 1000a9fb __mtterm 68 API calls 16516->16518 16519 1000ad75 TlsAlloc 16517->16519 16520 1000ad27 16518->16520 16522 1000adc3 TlsSetValue 16519->16522 16523 1000ae8f 16519->16523 16520->16479 16522->16523 16524 1000add4 16522->16524 16523->16479 16677 1000a4e6 16524->16677 16529 1000a8a7 __initp_misc_cfltcvt_tab 67 API calls 16530 1000adf4 16529->16530 16531 1000a8a7 __initp_misc_cfltcvt_tab 67 API calls 16530->16531 16532 1000ae04 16531->16532 16533 1000a8a7 __initp_misc_cfltcvt_tab 67 API calls 16532->16533 16534 1000ae14 16533->16534 16694 1000939d 16534->16694 16537 1000ae8a 16539 1000a9fb __mtterm 68 API calls 16537->16539 16538 1000a91e __output_l 67 API calls 16540 1000ae35 16538->16540 16539->16523 16540->16537 16541 1000b195 __calloc_crt 67 API calls 16540->16541 16542 1000ae4e 16541->16542 16542->16537 16543 1000a91e __output_l 67 API calls 16542->16543 16544 1000ae68 16543->16544 16544->16537 16545 1000ae6f 16544->16545 16546 1000aa38 __CRT_INIT@12 67 API calls 16545->16546 16547 1000ae77 GetCurrentThreadId 16546->16547 16547->16523 16549 10009335 16548->16549 16550 10009389 HeapDestroy 16548->16550 16551 10009378 HeapFree 16549->16551 16552 10009351 VirtualFree HeapFree 16549->16552 16550->16504 16551->16550 16552->16552 16553 10009377 16552->16553 16553->16551 16555 1000d665 16554->16555 16556 1000d646 GetEnvironmentStringsW 16554->16556 16558 1000d64e 16555->16558 16559 1000d700 16555->16559 16557 1000d65a GetLastError 16556->16557 16556->16558 16557->16555 16561 1000d680 GetEnvironmentStringsW 16558->16561 16562 1000d68f WideCharToMultiByte 16558->16562 16560 1000d708 GetEnvironmentStrings 16559->16560 16563 10008ada 16559->16563 16560->16563 16564 1000d718 16560->16564 16561->16562 16561->16563 16566 1000d6c3 16562->16566 16567 1000d6f5 FreeEnvironmentStringsW 16562->16567 16579 1000d05e 16563->16579 16568 1000b155 __malloc_crt 67 API calls 16564->16568 16569 1000b155 __malloc_crt 67 API calls 16566->16569 16567->16563 16570 1000d731 16568->16570 16571 1000d6c9 16569->16571 16572 1000d744 ___crtGetEnvironmentStringsA 16570->16572 16573 1000d738 FreeEnvironmentStringsA 16570->16573 16571->16567 16574 1000d6d2 WideCharToMultiByte 16571->16574 16577 1000d74c FreeEnvironmentStringsA 16572->16577 16573->16563 16575 1000d6ec 16574->16575 16576 1000d6e3 16574->16576 16575->16567 16578 10007b2f __output_l 67 API calls 16576->16578 16577->16563 16578->16575 16704 1000a044 16579->16704 16581 1000d06a GetStartupInfoA 16582 1000b195 __calloc_crt 67 API calls 16581->16582 16583 1000d08b 16582->16583 16584 1000d2a9 __ioinit 16583->16584 16585 1000d1f0 16583->16585 16588 1000b195 __calloc_crt 67 API calls 16583->16588 16590 1000d173 16583->16590 16584->16493 16585->16584 16586 1000d226 GetStdHandle 16585->16586 16587 1000d28b SetHandleCount 16585->16587 16589 1000d238 GetFileType 16585->16589 16592 1000e5c6 ___crtInitCritSecAndSpinCount 67 API calls 16585->16592 16586->16585 16587->16584 16588->16583 16589->16585 16590->16584 16590->16585 16591 1000d19c GetFileType 16590->16591 16593 1000e5c6 ___crtInitCritSecAndSpinCount 67 API calls 16590->16593 16591->16590 16592->16585 16593->16590 16595 1000aa05 16594->16595 16599 1000aa11 16594->16599 16596 1000a91e __output_l 67 API calls 16595->16596 16596->16599 16597 1000aa33 16597->16597 16598 1000aa25 TlsFree 16598->16597 16599->16597 16599->16598 16601 1000d584 16600->16601 16602 1000d589 GetModuleFileNameA 16600->16602 16705 1000f6de 16601->16705 16604 1000d5b0 16602->16604 16709 1000d3d9 16604->16709 16607 1000b155 __malloc_crt 67 API calls 16608 1000d5f2 16607->16608 16609 1000d3d9 _parse_cmdline 77 API calls 16608->16609 16610 10008af4 16608->16610 16609->16610 16610->16499 16611 1000d2fe 16610->16611 16612 1000d30b 16611->16612 16614 1000d310 _strlen 16611->16614 16613 1000f6de ___initmbctable 111 API calls 16612->16613 16613->16614 16615 1000b195 __calloc_crt 67 API calls 16614->16615 16618 10008afd 16614->16618 16623 1000d343 _strlen 16615->16623 16616 1000d39e 16617 10007b2f __output_l 67 API calls 16616->16617 16617->16618 16618->16499 16625 1000a352 16618->16625 16619 1000b195 __calloc_crt 67 API calls 16619->16623 16620 1000d3c3 16621 10007b2f __output_l 67 API calls 16620->16621 16621->16618 16623->16616 16623->16618 16623->16619 16623->16620 16624 100081ef __invoke_watson 10 API calls 16623->16624 16899 1000b7b8 16623->16899 16624->16623 16626 1000a35b __cinit 16625->16626 16908 1000e7df 16626->16908 16628 1000a37a __initterm_e 16630 1000a39b __cinit 16628->16630 16912 10008080 16628->16912 16630->16499 16633 1000d2b9 16631->16633 16632 1000d2fb 16632->16494 16633->16632 16634 1000d2cd DeleteCriticalSection 16633->16634 16635 10007b2f __output_l 67 API calls 16633->16635 16634->16633 16635->16633 17012 1000a3e4 16636->17012 16638 1000a4e2 16638->16462 16640 1000acb0 16639->16640 16649 1000acfb 16639->16649 16643 1000acb9 TlsGetValue 16640->16643 16644 1000acdc 16640->16644 16641 1000ad06 TlsSetValue 16642 1000ad0f 16641->16642 16642->16470 16643->16644 16645 1000accc TlsGetValue 16643->16645 16646 1000a91e __output_l 67 API calls 16644->16646 16645->16644 16647 1000acf2 16646->16647 17035 1000ab86 16647->17035 16649->16641 16649->16642 16661 1000a2df 16650->16661 16652 1000928b 16653 1000929a 16652->16653 16668 100081ef 16652->16668 16655 1000a316 _malloc 67 API calls 16653->16655 16656 100092a6 16655->16656 16657 100081ef __invoke_watson 10 API calls 16656->16657 16658 100092b5 16656->16658 16657->16658 16658->16510 16658->16511 16660 1000930b 16659->16660 16660->16511 16660->16514 16662 1000a2ea 16661->16662 16663 10009230 __output_l 67 API calls 16662->16663 16664 1000a310 16662->16664 16665 1000a2ef 16663->16665 16664->16652 16666 100082eb __output_l 67 API calls 16665->16666 16667 1000a2ff 16666->16667 16667->16652 16675 1000b330 16668->16675 16670 10008280 IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 16671 100082c3 GetCurrentProcess TerminateProcess 16670->16671 16674 100082b7 __invoke_watson 16670->16674 16672 10007ccf __output_l 5 API calls 16671->16672 16673 100082e3 16672->16673 16673->16653 16674->16671 16676 1000b33c __VEC_memzero 16675->16676 16676->16670 16698 1000a915 16677->16698 16679 1000a4ec __init_pointers 16701 1000e54e 16679->16701 16682 1000a8a7 __initp_misc_cfltcvt_tab 67 API calls 16683 1000a528 16682->16683 16684 1000a8a7 TlsGetValue 16683->16684 16685 1000a8ba 16684->16685 16686 1000a8db GetModuleHandleA 16684->16686 16685->16686 16688 1000a8c4 TlsGetValue 16685->16688 16687 1000a8ec 16686->16687 16693 1000a8d3 16686->16693 16689 1000a83b __output_l 63 API calls 16687->16689 16691 1000a8cf 16688->16691 16690 1000a8f1 16689->16690 16692 1000a8f5 GetProcAddress 16690->16692 16690->16693 16691->16686 16691->16693 16692->16693 16693->16529 16695 100093a6 16694->16695 16696 100093d4 16695->16696 16697 1000e5c6 ___crtInitCritSecAndSpinCount 67 API calls 16695->16697 16696->16537 16696->16538 16697->16695 16699 1000a8a7 __initp_misc_cfltcvt_tab 67 API calls 16698->16699 16700 1000a91c 16699->16700 16700->16679 16702 1000a8a7 __initp_misc_cfltcvt_tab 67 API calls 16701->16702 16703 1000a51e 16702->16703 16703->16682 16704->16581 16706 1000f6e7 16705->16706 16708 1000f6ee 16705->16708 16715 1000f544 16706->16715 16708->16602 16711 1000d3f6 16709->16711 16713 1000d463 16711->16713 16893 10010cce 16711->16893 16712 1000d561 16712->16607 16712->16610 16713->16712 16714 10010cce 77 API calls _parse_cmdline 16713->16714 16714->16713 16716 1000f550 __ioinit 16715->16716 16717 1000ab6e FindHandler 67 API calls 16716->16717 16718 1000f559 16717->16718 16719 1000f24d _LocaleUpdate::_LocaleUpdate 69 API calls 16718->16719 16720 1000f563 16719->16720 16746 1000f2f1 16720->16746 16723 1000b155 __malloc_crt 67 API calls 16724 1000f584 16723->16724 16725 1000f6a3 __ioinit 16724->16725 16753 1000f36b 16724->16753 16725->16708 16728 1000f5b4 InterlockedDecrement 16729 1000f5c4 16728->16729 16730 1000f5d5 InterlockedIncrement 16728->16730 16729->16730 16735 10007b2f __output_l 67 API calls 16729->16735 16730->16725 16736 1000f5eb 16730->16736 16731 1000f6c3 16734 10009230 __output_l 67 API calls 16731->16734 16732 1000f6b0 16732->16725 16732->16731 16733 10007b2f __output_l 67 API calls 16732->16733 16733->16731 16734->16725 16737 1000f5d4 16735->16737 16736->16725 16738 10009513 __lock 67 API calls 16736->16738 16737->16730 16740 1000f5ff InterlockedDecrement 16738->16740 16741 1000f67b 16740->16741 16742 1000f68e InterlockedIncrement 16740->16742 16741->16742 16744 10007b2f __output_l 67 API calls 16741->16744 16763 1000f6a5 16742->16763 16745 1000f68d 16744->16745 16745->16742 16747 1000bbfe _LocaleUpdate::_LocaleUpdate 77 API calls 16746->16747 16748 1000f303 16747->16748 16749 1000f32c 16748->16749 16750 1000f30e GetOEMCP 16748->16750 16751 1000f331 GetACP 16749->16751 16752 1000f31e 16749->16752 16750->16752 16751->16752 16752->16723 16752->16725 16754 1000f2f1 getSystemCP 79 API calls 16753->16754 16755 1000f389 16754->16755 16756 1000f394 setSBCS 16755->16756 16759 1000f3d8 IsValidCodePage 16755->16759 16762 1000f3fd _memset __setmbcp 16755->16762 16757 10007ccf __output_l 5 API calls 16756->16757 16758 1000f542 16757->16758 16758->16728 16758->16732 16759->16756 16760 1000f3ea GetCPInfo 16759->16760 16760->16756 16760->16762 16766 1000f0c3 GetCPInfo 16762->16766 16892 1000943b LeaveCriticalSection 16763->16892 16765 1000f6ac 16765->16725 16767 1000f0fa _memset 16766->16767 16768 1000f1a3 16766->16768 16776 1001128e 16767->16776 16772 10007ccf __output_l 5 API calls 16768->16772 16774 1000f245 16772->16774 16774->16762 16775 100116b2 ___crtLCMapStringA 102 API calls 16775->16768 16777 1000bbfe _LocaleUpdate::_LocaleUpdate 77 API calls 16776->16777 16778 1001129f 16777->16778 16786 100110d6 16778->16786 16781 100116b2 16782 1000bbfe _LocaleUpdate::_LocaleUpdate 77 API calls 16781->16782 16783 100116c3 16782->16783 16845 10011310 16783->16845 16787 100110f5 GetStringTypeW 16786->16787 16788 10011120 16786->16788 16789 10011115 GetLastError 16787->16789 16790 1001110d 16787->16790 16788->16790 16791 10011207 16788->16791 16789->16788 16792 10011159 MultiByteToWideChar 16790->16792 16809 10011201 16790->16809 16814 10011e31 GetLocaleInfoA 16791->16814 16798 10011186 16792->16798 16792->16809 16794 10007ccf __output_l 5 API calls 16796 1000f15e 16794->16796 16796->16781 16797 1001119b _memset __alloca_probe_16 16803 100111d4 MultiByteToWideChar 16797->16803 16797->16809 16798->16797 16801 10007c0c _malloc 67 API calls 16798->16801 16799 10011258 GetStringTypeA 16800 10011273 16799->16800 16799->16809 16806 10007b2f __output_l 67 API calls 16800->16806 16801->16797 16804 100111fb 16803->16804 16805 100111ea GetStringTypeW 16803->16805 16810 1000fa35 16804->16810 16805->16804 16806->16809 16809->16794 16811 1000fa3d 16810->16811 16812 1000fa4e 16810->16812 16811->16812 16813 10007b2f __output_l 67 API calls 16811->16813 16812->16809 16813->16812 16815 10011e62 16814->16815 16816 10011e5d 16814->16816 16817 10011814 ___ansicp 90 API calls 16815->16817 16818 10007ccf __output_l 5 API calls 16816->16818 16817->16816 16819 1001122b 16818->16819 16819->16799 16819->16809 16820 10011e78 16819->16820 16821 10011eb6 GetCPInfo 16820->16821 16825 10011f40 16820->16825 16822 10011f2b MultiByteToWideChar 16821->16822 16823 10011ecd 16821->16823 16822->16825 16829 10011ee6 _strlen 16822->16829 16823->16822 16826 10011ed3 GetCPInfo 16823->16826 16824 10007ccf __output_l 5 API calls 16828 1001124c 16824->16828 16825->16824 16826->16822 16827 10011ee0 16826->16827 16827->16822 16827->16829 16828->16799 16828->16809 16830 10007c0c _malloc 67 API calls 16829->16830 16832 10011f18 _memset __alloca_probe_16 16829->16832 16830->16832 16831 10011f75 MultiByteToWideChar 16833 10011f8d 16831->16833 16834 10011fac 16831->16834 16832->16825 16832->16831 16836 10011fb1 16833->16836 16837 10011f94 WideCharToMultiByte 16833->16837 16835 1000fa35 __freea 67 API calls 16834->16835 16835->16825 16838 10011fd0 16836->16838 16839 10011fbc WideCharToMultiByte 16836->16839 16837->16834 16840 1000b195 __calloc_crt 67 API calls 16838->16840 16839->16834 16839->16838 16841 10011fd8 16840->16841 16841->16834 16842 10011fe1 WideCharToMultiByte 16841->16842 16842->16834 16843 10011ff3 16842->16843 16844 10007b2f __output_l 67 API calls 16843->16844 16844->16834 16846 1001132f LCMapStringW 16845->16846 16850 1001134a 16845->16850 16847 10011352 GetLastError 16846->16847 16846->16850 16847->16850 16848 10011547 16852 10011e31 ___ansicp 91 API calls 16848->16852 16849 100113a4 16851 100113bd MultiByteToWideChar 16849->16851 16853 1001153e 16849->16853 16850->16848 16850->16849 16851->16853 16860 100113ea 16851->16860 16855 1001156f 16852->16855 16854 10007ccf __output_l 5 API calls 16853->16854 16856 1000f17e 16854->16856 16855->16853 16857 10011663 LCMapStringA 16855->16857 16858 10011588 16855->16858 16856->16775 16861 100115bf 16857->16861 16862 10011e78 ___convertcp 74 API calls 16858->16862 16859 1001143b MultiByteToWideChar 16863 10011454 LCMapStringW 16859->16863 16864 10011535 16859->16864 16866 10007c0c _malloc 67 API calls 16860->16866 16873 10011403 __alloca_probe_16 16860->16873 16865 1001168a 16861->16865 16870 10007b2f __output_l 67 API calls 16861->16870 16867 1001159a 16862->16867 16863->16864 16869 10011475 16863->16869 16868 1000fa35 __freea 67 API calls 16864->16868 16865->16853 16874 10007b2f __output_l 67 API calls 16865->16874 16866->16873 16867->16853 16871 100115a4 LCMapStringA 16867->16871 16868->16853 16872 1001147d 16869->16872 16878 100114a6 16869->16878 16870->16865 16871->16861 16876 100115c6 16871->16876 16872->16864 16875 1001148f LCMapStringW 16872->16875 16873->16853 16873->16859 16874->16853 16875->16864 16879 100115d7 _memset __alloca_probe_16 16876->16879 16881 10007c0c _malloc 67 API calls 16876->16881 16877 100114f5 LCMapStringW 16882 1001150d WideCharToMultiByte 16877->16882 16883 1001152f 16877->16883 16880 10007c0c _malloc 67 API calls 16878->16880 16884 100114c1 __alloca_probe_16 16878->16884 16879->16861 16885 10011615 LCMapStringA 16879->16885 16880->16884 16881->16879 16882->16883 16886 1000fa35 __freea 67 API calls 16883->16886 16884->16864 16884->16877 16887 10011631 16885->16887 16888 10011635 16885->16888 16886->16864 16891 1000fa35 __freea 67 API calls 16887->16891 16890 10011e78 ___convertcp 74 API calls 16888->16890 16890->16887 16891->16861 16892->16765 16896 10010c7d 16893->16896 16897 1000bbfe _LocaleUpdate::_LocaleUpdate 77 API calls 16896->16897 16898 10010c8e 16897->16898 16898->16711 16900 1000b7c5 16899->16900 16901 1000b7cd 16899->16901 16900->16901 16906 1000b7f4 16900->16906 16902 10009230 __output_l 67 API calls 16901->16902 16903 1000b7d2 16902->16903 16904 100082eb __output_l 67 API calls 16903->16904 16905 1000b7e1 16904->16905 16905->16623 16906->16905 16907 10009230 __output_l 67 API calls 16906->16907 16907->16903 16909 1000e7e3 16908->16909 16910 1000a8a7 __initp_misc_cfltcvt_tab 67 API calls 16909->16910 16911 1000e7fb 16909->16911 16910->16909 16911->16628 16915 10008044 16912->16915 16914 10008089 16914->16630 16916 10008050 __ioinit 16915->16916 16923 1000a295 16916->16923 16922 10008071 __ioinit 16922->16914 16924 10009513 __lock 67 API calls 16923->16924 16925 10008055 16924->16925 16926 10007f5c 16925->16926 16927 1000a91e __output_l 67 API calls 16926->16927 16928 10007f6c 16927->16928 16929 1000a91e __output_l 67 API calls 16928->16929 16930 10007f7d 16929->16930 16938 10008000 16930->16938 16946 1000b715 16930->16946 16932 10007f9b 16935 10007fbd 16932->16935 16942 10007fe6 16932->16942 16959 1000b1dd 16932->16959 16933 1000a8a7 __initp_misc_cfltcvt_tab 67 API calls 16934 10007ff5 16933->16934 16936 1000a8a7 __initp_misc_cfltcvt_tab 67 API calls 16934->16936 16935->16938 16939 1000b1dd __realloc_crt 73 API calls 16935->16939 16940 10007fd4 16935->16940 16936->16938 16943 1000807a 16938->16943 16939->16940 16940->16938 16941 1000a8a7 __initp_misc_cfltcvt_tab 67 API calls 16940->16941 16941->16942 16942->16933 17008 1000a29e 16943->17008 16947 1000b721 __ioinit 16946->16947 16948 1000b731 16947->16948 16949 1000b74e 16947->16949 16950 10009230 __output_l 67 API calls 16948->16950 16951 1000b78f HeapSize 16949->16951 16953 10009513 __lock 67 API calls 16949->16953 16952 1000b736 16950->16952 16954 1000b746 __ioinit 16951->16954 16955 100082eb __output_l 67 API calls 16952->16955 16956 1000b75e ___sbh_find_block 16953->16956 16954->16932 16955->16954 16964 1000b7af 16956->16964 16962 1000b1e1 16959->16962 16961 1000b223 16961->16935 16962->16961 16963 1000b204 Sleep 16962->16963 16968 1000f81a 16962->16968 16963->16962 16967 1000943b LeaveCriticalSection 16964->16967 16966 1000b78a 16966->16951 16966->16954 16967->16966 16969 1000f826 __ioinit 16968->16969 16970 1000f83b 16969->16970 16971 1000f82d 16969->16971 16973 1000f842 16970->16973 16974 1000f84e 16970->16974 16972 10007c0c _malloc 67 API calls 16971->16972 16976 1000f835 __dosmaperr __ioinit 16972->16976 16975 10007b2f __output_l 67 API calls 16973->16975 16981 1000f9c0 16974->16981 17003 1000f85b ___sbh_resize_block ___sbh_find_block ___crtGetEnvironmentStringsA 16974->17003 16975->16976 16976->16962 16977 1000f9f3 16979 1000a715 _malloc 67 API calls 16977->16979 16978 1000f9c5 HeapReAlloc 16978->16976 16978->16981 16982 1000f9f9 16979->16982 16980 10009513 __lock 67 API calls 16980->17003 16981->16977 16981->16978 16983 1000fa17 16981->16983 16985 1000a715 _malloc 67 API calls 16981->16985 16987 1000fa0d 16981->16987 16984 10009230 __output_l 67 API calls 16982->16984 16983->16976 16986 10009230 __output_l 67 API calls 16983->16986 16984->16976 16985->16981 16988 1000fa20 GetLastError 16986->16988 16990 10009230 __output_l 67 API calls 16987->16990 16988->16976 16992 1000f98e 16990->16992 16991 1000f8e6 HeapAlloc 16991->17003 16992->16976 16993 1000f993 GetLastError 16992->16993 16993->16976 16994 1000f93b HeapReAlloc 16994->17003 16995 10009d60 ___sbh_alloc_block 5 API calls 16995->17003 16996 1000f9a6 16996->16976 16999 10009230 __output_l 67 API calls 16996->16999 16997 1000a715 _malloc 67 API calls 16997->17003 16998 100095b7 __VEC_memcpy VirtualFree VirtualFree HeapFree ___sbh_free_block 16998->17003 17001 1000f9b3 16999->17001 17000 1000f989 17002 10009230 __output_l 67 API calls 17000->17002 17001->16976 17001->16988 17002->16992 17003->16976 17003->16977 17003->16980 17003->16991 17003->16994 17003->16995 17003->16996 17003->16997 17003->16998 17003->17000 17004 1000f95e 17003->17004 17007 1000943b LeaveCriticalSection 17004->17007 17006 1000f965 17006->17003 17007->17006 17011 1000943b LeaveCriticalSection 17008->17011 17010 1000807f 17010->16922 17011->17010 17013 1000a3f0 __ioinit 17012->17013 17014 10009513 __lock 67 API calls 17013->17014 17015 1000a3f7 17014->17015 17016 1000a466 _abort 17015->17016 17019 1000a91e __output_l 67 API calls 17015->17019 17029 1000a4b1 17016->17029 17021 1000a426 17019->17021 17020 1000a4ae __ioinit 17020->16638 17023 1000a91e __output_l 67 API calls 17021->17023 17026 1000a434 17023->17026 17024 1000a4a5 17025 1000a280 _malloc 3 API calls 17024->17025 17025->17020 17026->17016 17027 1000a915 _raise 67 API calls 17026->17027 17028 1000a91e __output_l 67 API calls 17026->17028 17027->17026 17028->17026 17030 1000a4b7 17029->17030 17032 1000a492 17029->17032 17034 1000943b LeaveCriticalSection 17030->17034 17032->17020 17033 1000943b LeaveCriticalSection 17032->17033 17033->17024 17034->17032 17037 1000ab92 __ioinit 17035->17037 17036 1000ac86 __ioinit 17036->16649 17037->17036 17038 1000abaa 17037->17038 17040 10007b2f __output_l 67 API calls 17037->17040 17039 1000abb8 17038->17039 17041 10007b2f __output_l 67 API calls 17038->17041 17042 1000abc6 17039->17042 17043 10007b2f __output_l 67 API calls 17039->17043 17040->17038 17041->17039 17044 1000abd4 17042->17044 17045 10007b2f __output_l 67 API calls 17042->17045 17043->17042 17046 1000abe2 17044->17046 17048 10007b2f __output_l 67 API calls 17044->17048 17045->17044 17047 1000abf0 17046->17047 17049 10007b2f __output_l 67 API calls 17046->17049 17050 1000ac01 17047->17050 17051 10007b2f __output_l 67 API calls 17047->17051 17048->17046 17049->17047 17052 10009513 __lock 67 API calls 17050->17052 17051->17050 17053 1000ac09 17052->17053 17054 1000ac15 InterlockedDecrement 17053->17054 17055 1000ac2e 17053->17055 17054->17055 17057 1000ac20 17054->17057 17069 1000ac92 17055->17069 17057->17055 17060 10007b2f __output_l 67 API calls 17057->17060 17059 10009513 __lock 67 API calls 17061 1000ac42 17059->17061 17060->17055 17062 1000eeff ___removelocaleref 8 API calls 17061->17062 17068 1000ac73 17061->17068 17066 1000ac57 17062->17066 17065 10007b2f __output_l 67 API calls 17065->17036 17067 1000ed39 ___freetlocinfo 67 API calls 17066->17067 17066->17068 17067->17068 17072 1000ac9e 17068->17072 17075 1000943b LeaveCriticalSection 17069->17075 17071 1000ac3b 17071->17059 17076 1000943b LeaveCriticalSection 17072->17076 17074 1000ac80 17074->17065 17075->17071 17076->17074 14472 401160 14527 4028b8 14472->14527 14474 40116c GetStartupInfoA GetProcessHeap HeapAlloc 14475 4011ab GetVersionExA 14474->14475 14476 40119e 14474->14476 14477 4011c9 GetProcessHeap HeapFree 14475->14477 14478 4011bb GetProcessHeap HeapFree 14475->14478 14617 4010fb 14476->14617 14480 4011f5 14477->14480 14481 4011a5 _raise 14478->14481 14528 40285e HeapCreate 14480->14528 14483 401236 14484 401242 14483->14484 14485 4010fb _fast_error_exit 61 API calls 14483->14485 14625 40267f GetModuleHandleA 14484->14625 14485->14484 14487 401248 14488 401254 __RTC_Initialize 14487->14488 14489 40124c 14487->14489 14538 401fab 14488->14538 14490 4010fb _fast_error_exit 61 API calls 14489->14490 14491 401253 14490->14491 14491->14488 14493 401261 14494 401265 14493->14494 14495 40126d GetCommandLineA 14493->14495 14658 401499 14494->14658 14553 401e76 14495->14553 14501 401287 14502 401293 14501->14502 14503 40128b 14501->14503 14579 401b4a 14502->14579 14504 401499 __amsg_exit 61 API calls 14503->14504 14506 401292 14504->14506 14506->14502 14508 4012a4 14593 4015b5 14508->14593 14509 40129c 14510 401499 __amsg_exit 61 API calls 14509->14510 14512 4012a3 14510->14512 14512->14508 14513 4012aa 14514 4012b6 14513->14514 14515 4012af 14513->14515 14599 401aed 14514->14599 14517 401499 __amsg_exit 61 API calls 14515->14517 14519 4012b5 14517->14519 14518 4012bb 14520 4012c0 14518->14520 14605 401050 14518->14605 14519->14514 14520->14518 14522 4012d7 14523 4012e6 14522->14523 14614 401729 14522->14614 14676 40174b 14523->14676 14527->14474 14529 402881 14528->14529 14530 40287e 14528->14530 14679 402803 14529->14679 14530->14483 14533 402890 14688 40489e HeapAlloc 14533->14688 14534 4028b4 14534->14483 14537 40289f HeapDestroy 14537->14530 14948 4028b8 14538->14948 14540 401fb7 GetStartupInfoA 14541 404107 __calloc_crt 61 API calls 14540->14541 14549 401fd8 14541->14549 14542 4021f6 _raise 14542->14493 14543 402173 GetStdHandle 14548 40213d 14543->14548 14544 404107 __calloc_crt 61 API calls 14544->14549 14545 4021d8 SetHandleCount 14545->14542 14546 402185 GetFileType 14546->14548 14547 4020c0 14547->14542 14547->14548 14550 4020e9 GetFileType 14547->14550 14552 403383 ___crtInitCritSecAndSpinCount 61 API calls 14547->14552 14548->14542 14548->14543 14548->14545 14548->14546 14551 403383 ___crtInitCritSecAndSpinCount 61 API calls 14548->14551 14549->14542 14549->14544 14549->14547 14549->14548 14550->14547 14551->14548 14552->14547 14554 401e92 GetEnvironmentStringsW 14553->14554 14555 401eb1 14553->14555 14556 401ea6 GetLastError 14554->14556 14557 401e9a 14554->14557 14555->14557 14558 401f4c 14555->14558 14556->14555 14559 401ecc GetEnvironmentStringsW 14557->14559 14564 401edb 14557->14564 14560 401f54 GetEnvironmentStrings 14558->14560 14561 40127d 14558->14561 14559->14561 14559->14564 14560->14561 14562 401f64 14560->14562 14665 401dbd 14561->14665 14567 4040c7 __malloc_crt 61 API calls 14562->14567 14563 401ef0 WideCharToMultiByte 14565 401f41 FreeEnvironmentStringsW 14563->14565 14566 401f0f 14563->14566 14564->14563 14564->14564 14565->14561 14568 4040c7 __malloc_crt 61 API calls 14566->14568 14570 401f7d 14567->14570 14569 401f15 14568->14569 14569->14565 14573 401f1e WideCharToMultiByte 14569->14573 14571 401f90 14570->14571 14572 401f84 FreeEnvironmentStringsA 14570->14572 14949 4041a0 14571->14949 14572->14561 14575 401f38 14573->14575 14576 401f2f 14573->14576 14575->14565 14578 404039 ___freetlocinfo 61 API calls 14576->14578 14578->14575 14580 401b57 14579->14580 14582 401b5c _strlen 14579->14582 14953 40401b 14580->14953 14583 404107 __calloc_crt 61 API calls 14582->14583 14586 401298 14582->14586 14591 401b8f _strlen 14583->14591 14584 401bea 14585 404039 ___freetlocinfo 61 API calls 14584->14585 14585->14586 14586->14508 14586->14509 14587 404107 __calloc_crt 61 API calls 14587->14591 14588 401c0f 14589 404039 ___freetlocinfo 61 API calls 14588->14589 14589->14586 14591->14584 14591->14586 14591->14587 14591->14588 14592 402d4d __invoke_watson 5 API calls 14591->14592 14957 4037eb 14591->14957 14592->14591 14594 4015be __except_handler4 14593->14594 15384 402ff1 14594->15384 14596 4015dd __initterm_e 14598 4015fe __except_handler4 14596->14598 15388 402fdf 14596->15388 14598->14513 14600 401af9 14599->14600 14602 401afe 14599->14602 14601 40401b ___initmbctable 105 API calls 14600->14601 14601->14602 14604 401b3a 14602->14604 15499 403969 14602->15499 14604->14518 15505 401000 14605->15505 14607 40107e 14609 401096 14607->14609 14610 401000 3 API calls 14607->14610 14608 4010a0 MessageBoxA 14608->14522 14609->14608 14611 4010c2 14609->14611 14610->14609 14612 4010ca ?nf_registerDriver@nfapi@@YA?AW4_NF_STATUS@@PBD 14611->14612 14613 4010db ?nf_unRegisterDriver@nfapi@@YA?AW4_NF_STATUS@@PBD 14611->14613 14612->14522 14613->14522 15511 401647 14614->15511 14616 401736 14616->14523 14618 401104 14617->14618 14619 401109 14617->14619 14620 401955 __FF_MSGBANNER 61 API calls 14618->14620 14621 4017b5 _abort 61 API calls 14619->14621 14620->14619 14622 401112 14621->14622 14623 4014e3 __mtinitlocknum 3 API calls 14622->14623 14624 40111c 14623->14624 14624->14481 14626 402691 14625->14626 14627 40269a GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14625->14627 15539 4023d3 14626->15539 14628 4026e4 TlsAlloc 14627->14628 14632 402732 TlsSetValue 14628->14632 14633 4027fe 14628->14633 14632->14633 14634 402743 14632->14634 14633->14487 15550 401769 14634->15550 14637 4022b3 __init_pointers 61 API calls 14638 402753 14637->14638 14639 4022b3 __init_pointers 61 API calls 14638->14639 14640 402763 14639->14640 14641 4022b3 __init_pointers 61 API calls 14640->14641 14642 402773 14641->14642 14643 4022b3 __init_pointers 61 API calls 14642->14643 14644 402783 14643->14644 15557 402b9c 14644->15557 14647 4027f9 14649 4023d3 __mtterm 64 API calls 14647->14649 14648 40232a _raise 61 API calls 14650 4027a4 14648->14650 14649->14633 14650->14647 14651 404107 __calloc_crt 61 API calls 14650->14651 14652 4027bd 14651->14652 14652->14647 14653 40232a _raise 61 API calls 14652->14653 14654 4027d7 14653->14654 14654->14647 14655 4027de 14654->14655 14656 402410 _raise 61 API calls 14655->14656 14657 4027e6 GetCurrentThreadId 14656->14657 14657->14633 14659 401955 __FF_MSGBANNER 61 API calls 14658->14659 14660 40149e 14659->14660 14661 4017b5 _abort 61 API calls 14660->14661 14662 4014a7 14661->14662 14663 40232a _raise 61 API calls 14662->14663 14664 40126c 14663->14664 14664->14495 14666 401dd0 14665->14666 14667 401dd5 GetModuleFileNameA 14665->14667 14668 40401b ___initmbctable 105 API calls 14666->14668 14669 401dfc 14667->14669 14668->14667 15564 401c25 14669->15564 14671 401e58 14671->14501 14673 4040c7 __malloc_crt 61 API calls 14674 401e3e 14673->14674 14674->14671 14675 401c25 _parse_cmdline 71 API calls 14674->14675 14675->14671 14677 401647 _abort 61 API calls 14676->14677 14678 4012eb 14677->14678 14678->14481 14690 401542 14679->14690 14684 402829 14703 401579 14684->14703 14685 402835 14686 402844 14685->14686 14687 402d4d __invoke_watson 5 API calls 14685->14687 14686->14533 14686->14534 14687->14686 14689 40289a 14688->14689 14689->14534 14689->14537 14691 40154d 14690->14691 14693 401573 14691->14693 14710 402ea8 14691->14710 14693->14684 14697 402d4d 14693->14697 14946 4055f0 14697->14946 14699 402dde IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 14700 402e21 GetCurrentProcess TerminateProcess 14699->14700 14701 402e15 ___report_gsfailure 14699->14701 14702 402e41 __except_handler4 14700->14702 14701->14700 14702->14684 14704 401584 14703->14704 14705 402ea8 _raise 61 API calls 14704->14705 14706 4015a9 14704->14706 14707 401589 14705->14707 14706->14685 14708 402e49 _raise 61 API calls 14707->14708 14709 401599 14708->14709 14709->14685 14716 4024cf GetLastError 14710->14716 14712 401552 14713 402e49 14712->14713 14714 40232a _raise 61 API calls 14713->14714 14715 402e57 ___report_gsfailure 14714->14715 14730 4023a1 TlsGetValue 14716->14730 14719 40253a SetLastError 14719->14712 14724 402531 14764 404039 14724->14764 14725 402519 14750 402410 14725->14750 14728 402521 GetCurrentThreadId 14728->14719 14729 402537 14729->14719 14731 4023b4 14730->14731 14732 4023cf 14730->14732 14733 40232a _raise 59 API calls 14731->14733 14732->14719 14735 404107 14732->14735 14734 4023bf TlsSetValue 14733->14734 14734->14732 14737 40410b 14735->14737 14738 4024f8 14737->14738 14739 40412b Sleep 14737->14739 14777 405e20 14737->14777 14738->14719 14740 40232a TlsGetValue 14738->14740 14739->14737 14741 40233d 14740->14741 14742 40235e GetModuleHandleA 14740->14742 14741->14742 14743 402347 TlsGetValue 14741->14743 14744 40236f 14742->14744 14749 402356 14742->14749 14746 402352 14743->14746 14914 402247 14744->14914 14746->14742 14746->14749 14747 402374 14748 402378 GetProcAddress 14747->14748 14747->14749 14748->14749 14749->14724 14749->14725 14919 4028b8 14750->14919 14752 40241c GetModuleHandleA 14753 40246d InterlockedIncrement 14752->14753 14754 40243e 14752->14754 14756 402d12 __lock 57 API calls 14753->14756 14755 402247 _raise 57 API calls 14754->14755 14757 402443 14755->14757 14758 402494 14756->14758 14757->14753 14759 402447 GetProcAddress GetProcAddress 14757->14759 14920 4046d8 InterlockedIncrement 14758->14920 14759->14753 14761 4024b3 14932 4024c6 14761->14932 14763 4024c0 _raise 14763->14728 14765 404045 _raise 14764->14765 14766 404084 14765->14766 14767 402d12 __lock 59 API calls 14765->14767 14768 4040be _raise _realloc 14765->14768 14766->14768 14769 404099 HeapFree 14766->14769 14770 40405c ___sbh_find_block 14767->14770 14768->14729 14769->14768 14771 4040ab 14769->14771 14776 404076 14770->14776 14936 404911 14770->14936 14772 402ea8 _raise 59 API calls 14771->14772 14773 4040b0 GetLastError 14772->14773 14773->14768 14942 40408f 14776->14942 14778 405e2c _raise 14777->14778 14779 405e44 14778->14779 14789 405e63 _abort 14778->14789 14780 402ea8 _raise 60 API calls 14779->14780 14781 405e49 14780->14781 14782 402e49 _raise 60 API calls 14781->14782 14784 405e59 _raise 14782->14784 14783 405ed5 HeapAlloc 14783->14789 14784->14737 14789->14783 14789->14784 14790 402d12 14789->14790 14797 4050ba 14789->14797 14803 405f1c 14789->14803 14806 403452 14789->14806 14791 402d25 14790->14791 14792 402d38 EnterCriticalSection 14790->14792 14809 402c4f 14791->14809 14792->14789 14794 402d2b 14794->14792 14795 401499 __amsg_exit 60 API calls 14794->14795 14796 402d37 14795->14796 14796->14792 14798 4050e6 14797->14798 14799 40517f 14798->14799 14802 405188 14798->14802 14902 404c25 14798->14902 14799->14802 14909 404cd5 14799->14909 14802->14789 14913 402c3a LeaveCriticalSection 14803->14913 14805 405f23 14805->14789 14807 40232a _raise 61 API calls 14806->14807 14808 40345d 14807->14808 14808->14789 14810 402c5b _raise 14809->14810 14811 402c81 14810->14811 14835 401955 14810->14835 14819 402c91 _raise 14811->14819 14881 4040c7 14811->14881 14817 402cb2 14822 402d12 __lock 61 API calls 14817->14822 14818 402ca3 14821 402ea8 _raise 61 API calls 14818->14821 14819->14794 14821->14819 14824 402cb9 14822->14824 14825 402cc1 14824->14825 14826 402ced 14824->14826 14886 403383 14825->14886 14827 404039 ___freetlocinfo 61 API calls 14826->14827 14829 402cde 14827->14829 14899 402d09 14829->14899 14830 402ccc 14830->14829 14832 404039 ___freetlocinfo 61 API calls 14830->14832 14833 402cd8 14832->14833 14834 402ea8 _raise 61 API calls 14833->14834 14834->14829 14836 403850 __FF_MSGBANNER 61 API calls 14835->14836 14837 40195c 14836->14837 14838 403850 __FF_MSGBANNER 61 API calls 14837->14838 14840 401969 14837->14840 14838->14840 14839 4017b5 _abort 61 API calls 14841 401981 14839->14841 14840->14839 14842 40198b 14840->14842 14843 4017b5 _abort 61 API calls 14841->14843 14844 4017b5 14842->14844 14843->14842 14845 4017c1 14844->14845 14846 403850 __FF_MSGBANNER 58 API calls 14845->14846 14876 401917 14845->14876 14847 4017e1 14846->14847 14848 40191c GetStdHandle 14847->14848 14850 403850 __FF_MSGBANNER 58 API calls 14847->14850 14849 40192a _strlen 14848->14849 14848->14876 14853 401944 WriteFile 14849->14853 14849->14876 14851 4017f2 14850->14851 14851->14848 14852 401804 14851->14852 14854 4037eb _strcpy_s 58 API calls 14852->14854 14852->14876 14853->14876 14855 401826 14854->14855 14856 40183a GetModuleFileNameA 14855->14856 14858 402d4d __invoke_watson 5 API calls 14855->14858 14857 401858 14856->14857 14863 40187b _strlen 14856->14863 14860 4037eb _strcpy_s 58 API calls 14857->14860 14859 401837 14858->14859 14859->14856 14861 401868 14860->14861 14861->14863 14864 402d4d __invoke_watson 5 API calls 14861->14864 14862 4018be 14865 403631 _strcat_s 58 API calls 14862->14865 14863->14862 14867 4036a2 _abort 58 API calls 14863->14867 14864->14863 14866 4018d1 14865->14866 14868 4018e2 14866->14868 14870 402d4d __invoke_watson 5 API calls 14866->14870 14869 4018ab 14867->14869 14871 403631 _strcat_s 58 API calls 14868->14871 14869->14862 14872 402d4d __invoke_watson 5 API calls 14869->14872 14870->14868 14873 4018f3 14871->14873 14872->14862 14875 402d4d __invoke_watson 5 API calls 14873->14875 14877 401904 14873->14877 14874 403474 _abort 58 API calls 14874->14876 14875->14877 14878 4014e3 14876->14878 14877->14874 14879 4014bd ___crtCorExitProcess GetModuleHandleA GetProcAddress 14878->14879 14880 4014ec ExitProcess 14879->14880 14884 4040cb 14881->14884 14882 405d5d _malloc 60 API calls 14882->14884 14883 402c9c 14883->14817 14883->14818 14884->14882 14884->14883 14885 4040e3 Sleep 14884->14885 14885->14884 14887 40338f _raise 14886->14887 14888 40232a _raise 59 API calls 14887->14888 14889 40339f 14888->14889 14890 401542 ___crtInitCritSecAndSpinCount 59 API calls 14889->14890 14893 4033f3 _raise 14889->14893 14891 4033af 14890->14891 14892 4033be 14891->14892 14894 402d4d __invoke_watson 5 API calls 14891->14894 14895 4033c7 GetModuleHandleA 14892->14895 14896 4033e8 14892->14896 14893->14830 14894->14892 14895->14896 14897 4033d6 GetProcAddress 14895->14897 14898 4022b3 __init_pointers 59 API calls 14896->14898 14897->14896 14898->14893 14900 402c3a _realloc LeaveCriticalSection 14899->14900 14901 402d10 14900->14901 14901->14819 14903 404c38 HeapReAlloc 14902->14903 14904 404c6c HeapAlloc 14902->14904 14905 404c5a 14903->14905 14907 404c56 14903->14907 14906 404c8f VirtualAlloc 14904->14906 14904->14907 14905->14904 14906->14907 14908 404ca9 HeapFree 14906->14908 14907->14799 14908->14907 14910 404cea VirtualAlloc 14909->14910 14912 404d31 14910->14912 14912->14802 14913->14805 14915 401579 _raise 60 API calls 14914->14915 14916 402262 14915->14916 14917 402269 _raise 14916->14917 14918 40226d GetModuleHandleA 14916->14918 14917->14747 14918->14917 14919->14752 14921 4046f3 InterlockedIncrement 14920->14921 14922 4046f6 14920->14922 14921->14922 14923 404700 InterlockedIncrement 14922->14923 14924 404703 14922->14924 14923->14924 14925 404710 14924->14925 14926 40470d InterlockedIncrement 14924->14926 14927 40471a InterlockedIncrement 14925->14927 14929 40471d 14925->14929 14926->14925 14927->14929 14928 404732 InterlockedIncrement 14928->14929 14929->14928 14930 404742 InterlockedIncrement 14929->14930 14931 40474b InterlockedIncrement 14929->14931 14930->14929 14931->14761 14935 402c3a LeaveCriticalSection 14932->14935 14934 4024cd 14934->14763 14935->14934 14937 40494e 14936->14937 14941 404bf0 ___sbh_free_block 14936->14941 14938 404b3a VirtualFree 14937->14938 14937->14941 14939 404b9e 14938->14939 14940 404bad VirtualFree HeapFree 14939->14940 14939->14941 14940->14941 14941->14776 14945 402c3a LeaveCriticalSection 14942->14945 14944 404096 14944->14766 14945->14944 14947 4055fc __VEC_memzero 14946->14947 14947->14699 14948->14540 14950 4041b8 14949->14950 14951 4041df __VEC_memcpy 14950->14951 14952 401f98 FreeEnvironmentStringsA 14950->14952 14951->14952 14952->14561 14954 404024 14953->14954 14955 40402b 14953->14955 14966 403e81 14954->14966 14955->14582 14958 403800 14957->14958 14959 4037f8 14957->14959 14960 402ea8 _raise 61 API calls 14958->14960 14959->14958 14964 403827 14959->14964 14961 403805 14960->14961 14962 402e49 _raise 61 API calls 14961->14962 14963 403814 14962->14963 14963->14591 14964->14963 14965 402ea8 _raise 61 API calls 14964->14965 14965->14961 14967 403e8d _raise 14966->14967 14997 402546 14967->14997 14971 403ea0 15018 403c2e 14971->15018 14974 4040c7 __malloc_crt 61 API calls 14975 403ec1 14974->14975 14976 403fe0 _raise 14975->14976 15025 403ca8 14975->15025 14976->14955 14978 403ee4 14979 403ef1 InterlockedDecrement 14978->14979 14980 403fed 14978->14980 14981 403f01 14979->14981 14982 403f12 InterlockedIncrement 14979->14982 14980->14976 14984 404000 14980->14984 14987 404039 ___freetlocinfo 61 API calls 14980->14987 14981->14982 14986 404039 ___freetlocinfo 61 API calls 14981->14986 14982->14976 14983 403f28 14982->14983 14983->14976 14989 402d12 __lock 61 API calls 14983->14989 14985 402ea8 _raise 61 API calls 14984->14985 14985->14976 14988 403f11 14986->14988 14987->14984 14988->14982 14991 403f3c InterlockedDecrement 14989->14991 14992 403fb8 14991->14992 14993 403fcb InterlockedIncrement 14991->14993 14992->14993 14995 404039 ___freetlocinfo 61 API calls 14992->14995 15033 403fe2 14993->15033 14996 403fca 14995->14996 14996->14993 14998 4024cf _raise 61 API calls 14997->14998 14999 40254c 14998->14999 15000 402559 14999->15000 15001 401499 __amsg_exit 61 API calls 14999->15001 15002 403b8a 15000->15002 15001->15000 15003 403b96 _raise 15002->15003 15004 402546 _LocaleUpdate::_LocaleUpdate 61 API calls 15003->15004 15005 403b9b 15004->15005 15006 402d12 __lock 61 API calls 15005->15006 15007 403bad 15005->15007 15008 403bcb 15006->15008 15010 403bbb _raise 15007->15010 15014 401499 __amsg_exit 61 API calls 15007->15014 15009 403c14 15008->15009 15011 403be2 InterlockedDecrement 15008->15011 15012 403bfc InterlockedIncrement 15008->15012 15036 403c25 15009->15036 15010->14971 15011->15012 15015 403bed 15011->15015 15012->15009 15014->15010 15015->15012 15016 404039 ___freetlocinfo 61 API calls 15015->15016 15017 403bfb 15016->15017 15017->15012 15040 403896 15018->15040 15021 403c69 15023 403c6e GetACP 15021->15023 15024 403c5b 15021->15024 15022 403c4b GetOEMCP 15022->15024 15023->15024 15024->14974 15024->14976 15026 403c2e getSystemCP 73 API calls 15025->15026 15027 403cc6 15026->15027 15028 403d3a _abort __setmbcp 15027->15028 15029 403cd1 setSBCS __except_handler4 15027->15029 15030 403d15 IsValidCodePage 15027->15030 15231 403a00 GetCPInfo 15028->15231 15029->14978 15030->15029 15031 403d27 GetCPInfo 15030->15031 15031->15028 15031->15029 15383 402c3a LeaveCriticalSection 15033->15383 15035 403fe9 15035->14976 15039 402c3a LeaveCriticalSection 15036->15039 15038 403c2c 15038->15007 15039->15038 15041 4038a5 15040->15041 15045 4038f2 15040->15045 15042 402546 _LocaleUpdate::_LocaleUpdate 61 API calls 15041->15042 15043 4038aa 15042->15043 15044 4038d2 15043->15044 15048 404828 15043->15048 15044->15045 15047 403b8a _LocaleUpdate::_LocaleUpdate 63 API calls 15044->15047 15045->15021 15045->15022 15047->15045 15049 404834 _raise 15048->15049 15050 402546 _LocaleUpdate::_LocaleUpdate 61 API calls 15049->15050 15051 404839 15050->15051 15052 404867 15051->15052 15054 40484b 15051->15054 15053 402d12 __lock 61 API calls 15052->15053 15055 40486e 15053->15055 15056 402546 _LocaleUpdate::_LocaleUpdate 61 API calls 15054->15056 15063 4047ea 15055->15063 15058 404850 15056->15058 15061 40485e _raise 15058->15061 15062 401499 __amsg_exit 61 API calls 15058->15062 15061->15044 15062->15061 15064 4047ee 15063->15064 15070 404820 15063->15070 15065 4046d8 ___addlocaleref 8 API calls 15064->15065 15064->15070 15066 404801 15065->15066 15066->15070 15074 40475e 15066->15074 15071 404892 15070->15071 15230 402c3a LeaveCriticalSection 15071->15230 15073 404899 15073->15058 15075 4047e6 15074->15075 15076 404767 InterlockedDecrement 15074->15076 15075->15070 15088 404598 15075->15088 15077 404780 15076->15077 15078 40477d InterlockedDecrement 15076->15078 15079 40478a InterlockedDecrement 15077->15079 15080 40478d 15077->15080 15078->15077 15079->15080 15081 404797 InterlockedDecrement 15080->15081 15082 40479a 15080->15082 15081->15082 15083 4047a4 InterlockedDecrement 15082->15083 15085 4047a7 15082->15085 15083->15085 15084 4047bc InterlockedDecrement 15084->15085 15085->15084 15086 4047cc InterlockedDecrement 15085->15086 15087 4047d5 InterlockedDecrement 15085->15087 15086->15085 15087->15075 15089 404619 15088->15089 15090 4045ac 15088->15090 15091 404666 15089->15091 15092 404039 ___freetlocinfo 61 API calls 15089->15092 15090->15089 15097 4045e0 15090->15097 15101 404039 ___freetlocinfo 61 API calls 15090->15101 15110 40468d 15091->15110 15142 4062d7 15091->15142 15094 40463a 15092->15094 15096 404039 ___freetlocinfo 61 API calls 15094->15096 15103 404039 ___freetlocinfo 61 API calls 15097->15103 15117 404601 15097->15117 15099 404039 ___freetlocinfo 61 API calls 15100 4046cc 15108 4045d5 15101->15108 15102 404039 ___freetlocinfo 61 API calls 15102->15110 15109 4045f6 15103->15109 15104 404039 61 API calls ___freetlocinfo 15104->15110 15118 4064a7 15108->15118 15134 406467 15109->15134 15110->15100 15110->15104 15117->15099 15119 4064b0 15118->15119 15133 40652d 15118->15133 15133->15097 15143 4062e4 15142->15143 15144 404686 15142->15144 15145 404039 ___freetlocinfo 61 API calls 15143->15145 15144->15102 15230->15073 15232 403a37 _abort 15231->15232 15233 403ae0 __except_handler4 15231->15233 15239 405cce 15232->15239 15233->15028 15240 403896 _LocaleUpdate::_LocaleUpdate 71 API calls 15239->15240 15241 405cdf 15240->15241 15249 405b16 15241->15249 15243 403a9b 15244 405ad3 15243->15244 15245 403896 _LocaleUpdate::_LocaleUpdate 71 API calls 15244->15245 15246 405ae4 15245->15246 15250 405b35 GetStringTypeW 15249->15250 15251 405b60 15249->15251 15252 405b55 GetLastError 15250->15252 15253 405b4d 15250->15253 15251->15253 15254 405c47 15251->15254 15252->15251 15255 405b99 MultiByteToWideChar 15253->15255 15258 405c41 __except_handler4 15253->15258 15293 406c2c GetLocaleInfoA 15254->15293 15255->15258 15261 405bc6 15255->15261 15257 405c6b 15257->15258 15259 405c98 GetStringTypeA 15257->15259 15297 406c73 15257->15297 15258->15243 15259->15258 15260 405bdb _abort __alloca_probe_16 15260->15258 15263 405c14 MultiByteToWideChar 15260->15263 15261->15260 15271 405d5d 15261->15271 15272 405e0a 15271->15272 15283 405d6b 15271->15283 15273 403452 __calloc_impl 60 API calls 15272->15273 15294 406c5d 15293->15294 15295 406c58 __except_handler4 15293->15295 15331 406f18 15294->15331 15295->15257 15298 406cb1 GetCPInfo 15297->15298 15301 406d3b __except_handler4 15297->15301 15334 407186 15331->15334 15335 40719d 15334->15335 15383->15035 15385 402ff5 15384->15385 15387 40300d 15385->15387 15391 4022b3 TlsGetValue 15385->15391 15387->14596 15401 402fa3 15388->15401 15390 402fe8 15390->14598 15392 4022c6 15391->15392 15393 4022e7 GetModuleHandleA 15391->15393 15392->15393 15395 4022d0 TlsGetValue 15392->15395 15394 4022f8 15393->15394 15400 4022df 15393->15400 15396 402247 _raise 57 API calls 15394->15396 15398 4022db 15395->15398 15397 4022fd 15396->15397 15399 402301 GetProcAddress 15397->15399 15397->15400 15398->15393 15398->15400 15399->15400 15400->15385 15402 402faf _raise 15401->15402 15409 4014f8 15402->15409 15408 402fd0 _raise 15408->15390 15410 402d12 __lock 61 API calls 15409->15410 15411 4014ff 15410->15411 15412 402ebb 15411->15412 15413 40232a _raise 61 API calls 15412->15413 15414 402ecb 15413->15414 15415 40232a _raise 61 API calls 15414->15415 15416 402edc 15415->15416 15417 402f5f 15416->15417 15432 40566a 15416->15432 15429 402fd9 15417->15429 15419 4022b3 __init_pointers 61 API calls 15420 402f54 15419->15420 15423 4022b3 __init_pointers 61 API calls 15420->15423 15421 402f1c 15421->15417 15425 40414f __realloc_crt 68 API calls 15421->15425 15426 402f33 15421->15426 15422 402efa 15422->15421 15428 402f45 15422->15428 15445 40414f 15422->15445 15423->15417 15425->15426 15426->15417 15427 4022b3 __init_pointers 61 API calls 15426->15427 15427->15428 15428->15419 15495 401501 15429->15495 15433 405676 _raise 15432->15433 15434 405686 15433->15434 15436 4056a3 15433->15436 15437 402ea8 _raise 61 API calls 15434->15437 15435 4056e4 HeapSize 15441 40569b _raise 15435->15441 15436->15435 15438 402d12 __lock 61 API calls 15436->15438 15439 40568b 15437->15439 15442 4056b3 ___sbh_find_block 15438->15442 15440 402e49 _raise 61 API calls 15439->15440 15440->15441 15441->15422 15450 405704 15442->15450 15449 404153 15445->15449 15447 404195 15447->15421 15448 404176 Sleep 15448->15449 15449->15447 15449->15448 15454 405f3e 15449->15454 15453 402c3a LeaveCriticalSection 15450->15453 15452 4056df 15452->15435 15452->15441 15453->15452 15455 405f4a _raise 15454->15455 15456 405f51 15455->15456 15457 405f5f 15455->15457 15458 405d5d _malloc 61 API calls 15456->15458 15459 405f72 15457->15459 15460 405f66 15457->15460 15462 405f59 _raise _realloc 15458->15462 15467 4060e4 15459->15467 15469 405f7f ___sbh_resize_block ___sbh_find_block 15459->15469 15461 404039 ___freetlocinfo 61 API calls 15460->15461 15461->15462 15462->15449 15463 406117 15465 403452 __calloc_impl 61 API calls 15463->15465 15464 4060e9 HeapReAlloc 15464->15462 15464->15467 15468 40611d 15465->15468 15466 402d12 __lock 61 API calls 15466->15469 15467->15463 15467->15464 15470 40613b 15467->15470 15472 403452 __calloc_impl 61 API calls 15467->15472 15474 406131 15467->15474 15471 402ea8 _raise 61 API calls 15468->15471 15469->15462 15469->15463 15469->15466 15478 40600a HeapAlloc 15469->15478 15480 40605f HeapReAlloc 15469->15480 15481 4050ba ___sbh_alloc_block 5 API calls 15469->15481 15482 4060ca 15469->15482 15483 403452 __calloc_impl 61 API calls 15469->15483 15485 4060ad 15469->15485 15486 4041a0 __VEC_memcpy ___crtGetEnvironmentStringsA 15469->15486 15490 404911 VirtualFree VirtualFree HeapFree ___sbh_free_block 15469->15490 15491 406082 15469->15491 15470->15462 15473 402ea8 _raise 61 API calls 15470->15473 15471->15462 15472->15467 15475 406144 GetLastError 15473->15475 15477 402ea8 _raise 61 API calls 15474->15477 15475->15462 15489 4060b2 15477->15489 15478->15469 15479 4060b7 GetLastError 15479->15462 15480->15469 15481->15469 15482->15462 15484 402ea8 _raise 61 API calls 15482->15484 15483->15469 15487 4060d7 15484->15487 15488 402ea8 _raise 61 API calls 15485->15488 15486->15469 15487->15462 15487->15475 15488->15489 15489->15462 15489->15479 15490->15469 15494 402c3a LeaveCriticalSection 15491->15494 15493 406089 15493->15469 15494->15493 15498 402c3a LeaveCriticalSection 15495->15498 15497 401508 15497->15408 15498->15497 15502 403918 15499->15502 15503 403896 _LocaleUpdate::_LocaleUpdate 71 API calls 15502->15503 15504 403929 15503->15504 15504->14602 15506 40103a 15505->15506 15508 401008 15505->15508 15506->14607 15507 401031 CharNextA 15507->15506 15507->15508 15508->15506 15508->15507 15509 40102a CharNextA 15508->15509 15510 40103f CharNextA 15508->15510 15509->15507 15509->15508 15510->14607 15512 401653 _raise 15511->15512 15513 402d12 __lock 61 API calls 15512->15513 15514 40165a 15513->15514 15515 4016d9 _abort 15514->15515 15517 40167e 15514->15517 15530 401714 15515->15530 15519 40232a _raise 61 API calls 15517->15519 15521 401689 15519->15521 15520 401711 _raise 15520->14616 15523 40232a _raise 61 API calls 15521->15523 15527 401697 15523->15527 15524 401708 15526 4014e3 __mtinitlocknum 3 API calls 15524->15526 15525 4016c9 _abort 15525->15515 15526->15520 15527->15525 15529 40232a _raise 61 API calls 15527->15529 15535 402321 15527->15535 15529->15527 15531 40171a 15530->15531 15533 4016f5 15530->15533 15538 402c3a LeaveCriticalSection 15531->15538 15533->15520 15534 402c3a LeaveCriticalSection 15533->15534 15534->15524 15536 4022b3 __init_pointers 61 API calls 15535->15536 15537 402328 15536->15537 15537->15527 15538->15533 15540 4023e9 15539->15540 15541 4023dd 15539->15541 15543 4023fd TlsFree 15540->15543 15544 40240b 15540->15544 15542 40232a _raise 61 API calls 15541->15542 15542->15540 15543->15544 15545 402bff DeleteCriticalSection 15544->15545 15546 402c17 15544->15546 15547 404039 ___freetlocinfo 61 API calls 15545->15547 15548 402c29 DeleteCriticalSection 15546->15548 15549 402696 15546->15549 15547->15544 15548->15546 15549->14487 15551 402321 _raise 61 API calls 15550->15551 15552 40176f __init_pointers 15551->15552 15561 402b8b 15552->15561 15555 4022b3 __init_pointers 61 API calls 15556 4017ab 15555->15556 15556->14637 15558 402ba5 15557->15558 15559 403383 ___crtInitCritSecAndSpinCount 61 API calls 15558->15559 15560 402790 15558->15560 15559->15558 15560->14647 15560->14648 15562 4022b3 __init_pointers 61 API calls 15561->15562 15563 4017a1 15562->15563 15563->15555 15566 401c42 15564->15566 15565 403969 _parse_cmdline 71 API calls 15565->15566 15566->15565 15568 401caf 15566->15568 15567 401dad 15567->14671 15567->14673 15568->15567 15569 403969 71 API calls _parse_cmdline 15568->15569 15569->15568

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 100134A0 Relevance: 15.1, APIs: 10, Instructions: 58serviceCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 100134BE
                                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(00000000,?,00010000), ref: 100134D1
                                                                                                                                                                                                                            • DeleteService.ADVAPI32(00000000), ref: 100134DE
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 100134E4
                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 100134ED
                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 100134F6
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 100134FE
                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 10013507
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 1001350F
                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 10013518
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Service$ErrorLast$CloseHandle$Open$DeleteManager
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2479149357-0
                                                                                                                                                                                                                            • Opcode ID: 0b951e9cdb1a0b26f3be69c1878f1c2782ce42dc9d03292b26ecafa066a6cc1a
                                                                                                                                                                                                                            • Instruction ID: 46c2e6c5a61eedaf3fef038684788d392a8c372027cf2a0885eba6b60b5d160f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0b951e9cdb1a0b26f3be69c1878f1c2782ce42dc9d03292b26ecafa066a6cc1a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F01F132641624AFE7126BF49C8DB5E3B68EF49F42F058130FB01DA161DAB1E84086B1
                                                                                                                                                                                                                            Function 10012F40 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 66registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __snprintf.LIBCMT ref: 10012F6E
                                                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000003,?,?,?,?,?), ref: 10012F89
                                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,Tag,00000000,?,00000001,?), ref: 10012FD4
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 10012FFA
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseOpenQueryValue__snprintf
                                                                                                                                                                                                                            • String ID: SYSTEM\CurrentControlSet\Services\%s$Tag$Tag
                                                                                                                                                                                                                            • API String ID: 906094135-167878906
                                                                                                                                                                                                                            • Opcode ID: 6f56ef87285fea69d5a8c9f690d12e05e358ab22d85251f7a7e5ed3c1616b0d0
                                                                                                                                                                                                                            • Instruction ID: f9c08eb89e650521aaf22d2235fa5d9325a6f599f2f4c571dbf36a9dd9bf478e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f56ef87285fea69d5a8c9f690d12e05e358ab22d85251f7a7e5ed3c1616b0d0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 33116DB1A04354AFE328CB64CC4AFEB77E8EB89B40F40481CB74D9A180E774D945C7A2
                                                                                                                                                                                                                            Function 10012D70 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 55registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters,00000000,00000003,?,?,?,10013525,00000000), ref: 10012D86
                                                                                                                                                                                                                            • RegQueryValueExA.KERNELBASE ref: 10012DB9
                                                                                                                                                                                                                            • RegSetValueExA.KERNELBASE(?,DisabledComponents,00000000,00000004,?,00000004,?), ref: 10012DF7
                                                                                                                                                                                                                            • RegCloseKey.KERNELBASE(?), ref: 10012E04
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • DisabledComponents, xrefs: 10012DF1
                                                                                                                                                                                                                            • DisabledComponents, xrefs: 10012DAB
                                                                                                                                                                                                                            • SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters, xrefs: 10012D7C
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$CloseOpenQuery
                                                                                                                                                                                                                            • String ID: DisabledComponents$DisabledComponents$SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
                                                                                                                                                                                                                            • API String ID: 237177642-4216016250
                                                                                                                                                                                                                            • Opcode ID: e76360cbcc9baf098a5e93c68d2a24a7b395f91ed9355a7129efde6212d0d687
                                                                                                                                                                                                                            • Instruction ID: 9ee4d2c3e57a7063b565cc8fc060191f73725880ea3dbb34ca1c1c45c67cef35
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e76360cbcc9baf098a5e93c68d2a24a7b395f91ed9355a7129efde6212d0d687
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7911A0B5508312BFE710DB54DD44FAB7BE8EB88B44F41890CF6899A0D0E374C984C756
                                                                                                                                                                                                                            Function 10012D00 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegOpenKeyExA.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,00000000,00000002,00000000,00000000,00000000), ref: 10012D15
                                                                                                                                                                                                                            • RegSetValueExA.KERNELBASE(00000000,DisableTaskOffload,00000000,00000004,?,00000004,?), ref: 10012D47
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 10012D54
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • SYSTEM\CurrentControlSet\Services\Tcpip\Parameters, xrefs: 10012D0B
                                                                                                                                                                                                                            • DisableTaskOffload, xrefs: 10012D3D
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseOpenValue
                                                                                                                                                                                                                            • String ID: DisableTaskOffload$SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
                                                                                                                                                                                                                            • API String ID: 779948276-1474643600
                                                                                                                                                                                                                            • Opcode ID: b914e9072d492bfd31763df8d8490f62f2f2385f3a95968ca031b7c0720cf9be
                                                                                                                                                                                                                            • Instruction ID: 2230c34db065372bc40d34239641de211e9b25fb5ab268f73dea6e655c247ba9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b914e9072d492bfd31763df8d8490f62f2f2385f3a95968ca031b7c0720cf9be
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BBF0E9716043207FE711EB209C4AF5B37E8AB8CB00F84891CF794DA180E370C958C796
                                                                                                                                                                                                                            Function 00401000 Relevance: 3.8, APIs: 3, Instructions: 36COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 36 401000-401006 37 401008-40100e 36->37 38 40103a-40103e 36->38 39 401010-401013 37->39 39->38 40 401015-401019 39->40 41 401031-401038 CharNextA 40->41 42 40101b 40->42 41->38 41->39 43 401020-401024 42->43 43->41 44 401026-401028 43->44 45 40102a-40102f CharNextA 44->45 46 40103f-401044 CharNextA 44->46 45->41 45->43
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharNext
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3213498283-0
                                                                                                                                                                                                                            • Opcode ID: 7c522331cf8c48b44b5ec6a2051b80fc459d173407debce357d97d96f401c9b2
                                                                                                                                                                                                                            • Instruction ID: dde81b71a90f9f684eae9ae77c255fe350d7d91c01edff3817fbd5cfc17a4160
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c522331cf8c48b44b5ec6a2051b80fc459d173407debce357d97d96f401c9b2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3BE06522A056E216D732162D28107AB568C4FD57E071A457BE8C0F77A5D639CCC642DD
                                                                                                                                                                                                                            Function 0040285E Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 47 40285e-40287c HeapCreate 48 402881-40288e call 402803 47->48 49 40287e-402880 47->49 52 402890-40289d call 40489e 48->52 53 4028b4-4028b7 48->53 52->53 56 40289f-4028b2 HeapDestroy 52->56 56->49
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,00401236,00000001), ref: 0040286F
                                                                                                                                                                                                                            • HeapDestroy.KERNEL32 ref: 004028A5
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Heap$CreateDestroy
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3296620671-0
                                                                                                                                                                                                                            • Opcode ID: 6a61f211992a6e18c95607d49fad3f3b072efb0b2f059ec0a30deba2ad50305b
                                                                                                                                                                                                                            • Instruction ID: c9b1d8ae43914fce643a3b0feff7cc958f3d34f8e715b1d91c1e9ab3a3c39313
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6a61f211992a6e18c95607d49fad3f3b072efb0b2f059ec0a30deba2ad50305b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ABE06576550301DAEB457B715F0DB363594E74074AF10853BF841F51E2FBB88540960D
                                                                                                                                                                                                                            Function 100092CF Relevance: 3.0, APIs: 2, Instructions: 28memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • HeapCreate.KERNELBASE(00000000,00001000,00000000,10008AA9,00000001,?,?,00000001,?,?,10008C27,00000001,?,?,1001B608,0000000C), ref: 100092E0
                                                                                                                                                                                                                            • HeapDestroy.KERNEL32(?,?,00000001,?,?,10008C27,00000001,?,?,1001B608,0000000C,10008CE1,?), ref: 10009316
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Heap$CreateDestroy
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3296620671-0
                                                                                                                                                                                                                            • Opcode ID: 564c51fca60af66e7a4a00761b05f1ec1e784a5b92eab29dc0ead7a71cea7728
                                                                                                                                                                                                                            • Instruction ID: 0c4cb1e0f78fd55b04bfad504b74cc3b14dfc1a1f94936553e122905dbeb7e21
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 564c51fca60af66e7a4a00761b05f1ec1e784a5b92eab29dc0ead7a71cea7728
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3CE01279654362AEFB41DB308C8976A35E8E7547C6F10C939F415C50B8FBB0C6809A04
                                                                                                                                                                                                                            Function 004014E3 Relevance: 3.0, APIs: 2, Instructions: 5COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 67 4014e3-4014f1 call 4014bd ExitProcess
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • ___crtCorExitProcess.LIBCMT ref: 004014E7
                                                                                                                                                                                                                              • Part of subcall function 004014BD: GetModuleHandleA.KERNEL32(mscoree.dll,004014EC,?,00405D96,000000FF,0000001E,00000001,00000000,00000000,?,004040D4,?,00000001,?,00402C9C,00000018), ref: 004014C2
                                                                                                                                                                                                                              • Part of subcall function 004014BD: GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004014D2
                                                                                                                                                                                                                            • ExitProcess.KERNEL32 ref: 004014F1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExitProcess$AddressHandleModuleProc___crt
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2427264223-0
                                                                                                                                                                                                                            • Opcode ID: 6c26d35538560624cb0276524913e3c26102e8c22ac44d2ad5d5b3d3ea4d6717
                                                                                                                                                                                                                            • Instruction ID: 537dee8b853bd8b800ce6c4827e120e5e31ff7b11606db799f1f5586ed61abf1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c26d35538560624cb0276524913e3c26102e8c22ac44d2ad5d5b3d3ea4d6717
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EBB01230004100AFC6012B10EF0BC0D7B71EF40744F00C47DF088100708F354C54BE05

                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                            Function 10013540 Relevance: 28.1, APIs: 13, Strings: 3, Instructions: 138serviceCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 100135C3
                                                                                                                                                                                                                            • CreateServiceW.ADVAPI32(00000000,?,?,000F01FF,00000001,00000001,00000001,?,PNP_TDI,?,00000000,00000000,00000000), ref: 10013605
                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 1001361B
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 10013625
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 1001363D
                                                                                                                                                                                                                            • OpenServiceA.ADVAPI32(?,?,00000014), ref: 10013655
                                                                                                                                                                                                                            • QueryServiceStatus.ADVAPI32(00000000,?), ref: 10013667
                                                                                                                                                                                                                            • StartServiceA.ADVAPI32(00000000,00000000,00000000), ref: 1001367D
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 10013689
                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(00000000), ref: 10013692
                                                                                                                                                                                                                            • CloseServiceHandle.ADVAPI32(?), ref: 100136A7
                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000), ref: 100136B9
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Service$ErrorLast$CloseHandle$Open$CreateManagerQueryStartStatus
                                                                                                                                                                                                                            • String ID: %S\%S.sys$PNP_TDI$system32\drivers\%S.sys
                                                                                                                                                                                                                            • API String ID: 3292902256-1894622794
                                                                                                                                                                                                                            • Opcode ID: 660a23612fc86a23e892aea1473c593627136715394c5b516177490ee6cba120
                                                                                                                                                                                                                            • Instruction ID: 3a4aafa71a6d85f3e9df812c39c39bfa152d82fe410905c2edde1af795798740
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 660a23612fc86a23e892aea1473c593627136715394c5b516177490ee6cba120
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1841E172644310BFE321DB608C89FAB77E9EB89B40F01851CFB859B291DA71E9408766
                                                                                                                                                                                                                            Function 10002060 Relevance: 19.9, APIs: 13, Instructions: 395COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32 ref: 100020EF
                                                                                                                                                                                                                            • __aullrem.LIBCMT ref: 10002114
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 1000215A
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10002199
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 100021AE
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 10002256
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10002295
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 100022AA
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32 ref: 1000239F
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 100023FE
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10002498
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 100024AD
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10002563
                                                                                                                                                                                                                              • Part of subcall function 10014ED0: EnterCriticalSection.KERNEL32(10020324,?,?,?,?,?,?,?,?,?,1001536D), ref: 10014F3F
                                                                                                                                                                                                                              • Part of subcall function 10014ED0: WriteFile.KERNEL32(FFFFFFFF,?,00000008,00000000,?), ref: 10014F8F
                                                                                                                                                                                                                              • Part of subcall function 10014ED0: GetLastError.KERNEL32 ref: 10014F99
                                                                                                                                                                                                                              • Part of subcall function 10014ED0: LeaveCriticalSection.KERNEL32(10020324), ref: 10014FAB
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Enter$Leave$CountTick$ErrorFileLastWrite__aullrem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2584342812-0
                                                                                                                                                                                                                            • Opcode ID: af9e0746b45dabf02fd2421baf30e015d80efef54aadf8bda24db42c6145cc84
                                                                                                                                                                                                                            • Instruction ID: 27e7611ef1cc4cd64037de96806a1b775dfd5a4704548cb2295c2b271f4c6af1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: af9e0746b45dabf02fd2421baf30e015d80efef54aadf8bda24db42c6145cc84
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8F19A74604742EFE310CF64C984A4AB7F6FF48784F418929E9499BA15E330FD95CBA2
                                                                                                                                                                                                                            Function 100139D0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetCurrentProcessId.KERNEL32 ref: 100139D4
                                                                                                                                                                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,00000000), ref: 100139E2
                                                                                                                                                                                                                            • OpenProcessToken.ADVAPI32(00000000,00000020,?), ref: 100139F7
                                                                                                                                                                                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 10013A13
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 10013A22
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 10013A25
                                                                                                                                                                                                                            • AdjustTokenPrivileges.ADVAPI32 ref: 10013A5F
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?), ref: 10013A74
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 10013A77
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseHandle$Process$OpenToken$AdjustCurrentLookupPrivilegePrivilegesValue
                                                                                                                                                                                                                            • String ID: SeDebugPrivilege
                                                                                                                                                                                                                            • API String ID: 2638893802-2896544425
                                                                                                                                                                                                                            • Opcode ID: 419289fe1aa8360b2f1914424ecfbc0142881d51788569709d273a4057b6a3c7
                                                                                                                                                                                                                            • Instruction ID: 0388be8fc12d26e35ffcfca9aa46a7d98fc754c634c7c292c2151c31a72acd32
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 419289fe1aa8360b2f1914424ecfbc0142881d51788569709d273a4057b6a3c7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 58116A75604310AFE201EB68CC89FAF7BE8EFC8754F44841CFA8896291D770E5448BA6
                                                                                                                                                                                                                            Function 100163B0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 240COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetLogicalDriveStringsW.KERNEL32(00000104,?,9D13258C,?,?,?,00000000), ref: 1001640D
                                                                                                                                                                                                                            • QueryDosDeviceW.KERNEL32 ref: 1001646C
                                                                                                                                                                                                                            • GetDriveTypeW.KERNEL32(?,?,?,?,?,?), ref: 100165A1
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020484), ref: 10016726
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020484), ref: 10016742
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalDriveSection$DeviceEnterLeaveLogicalQueryStringsType
                                                                                                                                                                                                                            • String ID: :
                                                                                                                                                                                                                            • API String ID: 3137785116-336475711
                                                                                                                                                                                                                            • Opcode ID: 309e0b93bcea4dd87cd4e26c409c77e7e666b1aaa0db519f1e08522f54eca9c8
                                                                                                                                                                                                                            • Instruction ID: 05aef7f753930580f9efe3ccf0e9bc9ed64d96a84334a073f7ef42401ff9f03d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 309e0b93bcea4dd87cd4e26c409c77e7e666b1aaa0db519f1e08522f54eca9c8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ADA15AB15083818BE720CF64CC85B9BB7E5FF88344F448A1EE6898B251D770E688CB53
                                                                                                                                                                                                                            Function 00401050 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 48windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00401000: CharNextA.USER32 ref: 0040102B
                                                                                                                                                                                                                              • Part of subcall function 00401000: CharNextA.USER32 ref: 00401032
                                                                                                                                                                                                                            • MessageBoxA.USER32(00000000,Usage: nfregdrv.exe <driver_name> - register windows\system32\drivers\<driver_name>.sys nfregdrv.exe -u <driver_name> - unregister windows\system32\drivers\<driver_name>.sys,nfregdvr,00000000), ref: 004010AE
                                                                                                                                                                                                                            • ?nf_registerDriver@nfapi@@YA?AW4_NF_STATUS@@PBD@Z.NFAPI(?), ref: 004010CA
                                                                                                                                                                                                                            • ?nf_unRegisterDriver@nfapi@@YA?AW4_NF_STATUS@@PBD@Z.NFAPI(?), ref: 004010DB
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • nfregdvr, xrefs: 004010A2
                                                                                                                                                                                                                            • Usage: nfregdrv.exe <driver_name> - register windows\system32\drivers\<driver_name>.sys nfregdrv.exe -u <driver_name> - unregister windows\system32\drivers\<driver_name>.sys, xrefs: 004010A7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CharDriver@nfapi@@Next$?nf_register?nf_unMessageRegister
                                                                                                                                                                                                                            • String ID: Usage: nfregdrv.exe <driver_name> - register windows\system32\drivers\<driver_name>.sys nfregdrv.exe -u <driver_name> - unregister windows\system32\drivers\<driver_name>.sys$nfregdvr
                                                                                                                                                                                                                            • API String ID: 1889258244-2180452595
                                                                                                                                                                                                                            • Opcode ID: 3a882d4fb6fe95bf0d5de4b4e3cf2f64ab34e96ef2f70e27ee227c43f8033b4f
                                                                                                                                                                                                                            • Instruction ID: 1ab8e34958d480acc8493b27089cbdf5696b9cf7d697ab9778d1d713517b65dd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a882d4fb6fe95bf0d5de4b4e3cf2f64ab34e96ef2f70e27ee227c43f8033b4f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F01DE705082806AE70163746E057877A806F55755F08C87BF9D4B63E2E6B88898C7BF
                                                                                                                                                                                                                            Function 100141E0 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 100141E6
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100141FA
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,00000000,?,0000024A,00000000,00000000,?,00000000), ref: 10014287
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014297
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3744975357-0
                                                                                                                                                                                                                            • Opcode ID: c1d6194b3b625dbf574e7b20ed250350b817444bdaab0ad358dee30cb838081e
                                                                                                                                                                                                                            • Instruction ID: 85bbbeb16c55dea885b82d2df4faedcc8aa5688a631ff53f8ce63f3f1ec5c482
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c1d6194b3b625dbf574e7b20ed250350b817444bdaab0ad358dee30cb838081e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 17110A76510210AFE700CB68DC89E9633E9EF89761F51C215F6168F1E5EF70EAC4C6A1
                                                                                                                                                                                                                            Function 10007CCF Relevance: 7.6, APIs: 5, Instructions: 57COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • IsDebuggerPresent.KERNEL32 ref: 1000A7F0
                                                                                                                                                                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 1000A805
                                                                                                                                                                                                                            • UnhandledExceptionFilter.KERNEL32(100198DC), ref: 1000A810
                                                                                                                                                                                                                            • GetCurrentProcess.KERNEL32(C0000409), ref: 1000A82C
                                                                                                                                                                                                                            • TerminateProcess.KERNEL32(00000000), ref: 1000A833
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2579439406-0
                                                                                                                                                                                                                            • Opcode ID: 06ef2c53437fd46401bc4568d3fe183aff5b9b3a6a8811e184a836bfc1ef5544
                                                                                                                                                                                                                            • Instruction ID: 5cd202c4d6932f10897f274e1b34921bd933b478cb37430cfba53272a53993d9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 06ef2c53437fd46401bc4568d3fe183aff5b9b3a6a8811e184a836bfc1ef5544
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E21AEB89083259FF701DF94DCC46647BE4FB28754F40D15EE508872A5E7B0D9808F45
                                                                                                                                                                                                                            Function 10014000 Relevance: 7.5, APIs: 5, Instructions: 37COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32 ref: 10014010
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014025
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,0022019C,00000000,00000000,00000000,00000004,00000000,00000000), ref: 10014049
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 1001405F
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3744975357-0
                                                                                                                                                                                                                            • Opcode ID: 4981ae034996778ee2c8bf16bcf631c7842ba69716a9c5caf53513e94cd4e299
                                                                                                                                                                                                                            • Instruction ID: 194b0543918d9f7547c24edad603a73f0d8bc4c4cca9a48bf73c364b07b3f58e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4981ae034996778ee2c8bf16bcf631c7842ba69716a9c5caf53513e94cd4e299
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8F09674A10310AFF701EB60ED89B8937A6EB98F12FC2C514F7098A1E1D7B5D95CC662
                                                                                                                                                                                                                            Function 10014170 Relevance: 7.5, APIs: 5, Instructions: 32COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 10014176
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 1001418B
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,002201D0,00000000,00000000,00000000,00000000,?,00000000), ref: 100141AD
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100141BC
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3744975357-0
                                                                                                                                                                                                                            • Opcode ID: ed04f4c91301ef5749866e6216c76f80c91ee0689320974670393c5e7210247c
                                                                                                                                                                                                                            • Instruction ID: ea0cb0fdb19bb7dbbc03564ec765e3cd75472be6806d2b7526bfc3e15de05ea0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ed04f4c91301ef5749866e6216c76f80c91ee0689320974670393c5e7210247c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 83F03974261310BFF205D7749D8AF5533A9EF18B32F628708F62AD90E1DF70E8449A51
                                                                                                                                                                                                                            Function 100013F0 Relevance: 3.1, APIs: 2, Instructions: 77COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,100175DD,10020370), ref: 100013FC
                                                                                                                                                                                                                            • GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,100175DD,10020370), ref: 10001411
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: EventInfoResetSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3761259369-0
                                                                                                                                                                                                                            • Opcode ID: 508fc2042419c3a36b202234b76a069f5d08a4c1d9f6591d6dd30bc335c3ad5d
                                                                                                                                                                                                                            • Instruction ID: 39d4c7a7ad4dc565fb3197904db44af1b56c26df66e8bdcd4ed7d8d6cef16289
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 508fc2042419c3a36b202234b76a069f5d08a4c1d9f6591d6dd30bc335c3ad5d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE210172A002119BE320CE14CD40F9B73EAEFC4790F0A891CED5A9B268EA71FD4487D1
                                                                                                                                                                                                                            Function 004017B5 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 156fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 303 4017b5-4017bf 304 4017c1-4017c8 303->304 305 4017d0-4017d3 304->305 306 4017ca-4017ce 304->306 307 401950-401954 305->307 308 4017d9-4017e5 call 403850 305->308 306->304 306->305 311 4017eb-4017f5 call 403850 308->311 312 40191c-401928 GetStdHandle 308->312 319 401804-40180a 311->319 320 4017f7-4017fe 311->320 313 40192a-40192d 312->313 314 40194f 312->314 313->314 316 40192f-401949 call 403760 WriteFile 313->316 314->307 316->314 319->314 322 401810-40182b call 4037eb 319->322 320->312 320->319 325 40183a-401856 GetModuleFileNameA 322->325 326 40182d-401837 call 402d4d 322->326 327 401858-40186d call 4037eb 325->327 328 40187e-401889 call 403760 325->328 326->325 327->328 335 40186f-40187b call 402d4d 327->335 336 4018c3 328->336 337 40188b-4018b0 call 403760 call 4036a2 328->337 335->328 338 4018c5-4018d6 call 403631 336->338 337->336 349 4018b2-4018c1 call 402d4d 337->349 346 4018e5-4018f8 call 403631 338->346 347 4018d8-4018e2 call 402d4d 338->347 356 401907-40191a call 403474 346->356 357 4018fa-401904 call 402d4d 346->357 347->346 349->338 356->314 357->356
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • _strcpy_s.LIBCMT ref: 00401821
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 00401832
                                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,0040B059,00000104), ref: 0040184E
                                                                                                                                                                                                                            • _strcpy_s.LIBCMT ref: 00401863
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 00401876
                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 0040187F
                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 0040188C
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 004018B9
                                                                                                                                                                                                                            • _strcat_s.LIBCMT ref: 004018CC
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 004018DD
                                                                                                                                                                                                                            • _strcat_s.LIBCMT ref: 004018EE
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 004018FF
                                                                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F4,?,?,00000000,76EC5E70,00000003,00401981,000000FC,00405D85,00000001,00000000,00000000,?,004040D4,?,00000001), ref: 0040191E
                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 0040193F
                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,004040D4,?,00000001,?,00402C9C,00000018,004094A0,0000000C,00402D2B,?), ref: 00401949
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                                                                                                                                                                                                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                                                                                                                            • API String ID: 1879448924-4022980321
                                                                                                                                                                                                                            • Opcode ID: 38520d41a68f396a59cc94f311c6a7ce392be311100e9e9c31ac4f97fc74b26a
                                                                                                                                                                                                                            • Instruction ID: ac205ba077d332f24294b0c45a0e422cb4ceea3e0f9d8061dc6338a319882752
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 38520d41a68f396a59cc94f311c6a7ce392be311100e9e9c31ac4f97fc74b26a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 043126E26402057AE6213A265E4AF2F3A4C9B01755F14403BFD45B22F3FA7E9A1181FE
                                                                                                                                                                                                                            Function 1000A532 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 156fileCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • _strcpy_s.LIBCMT ref: 1000A59E
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 1000A5AF
                                                                                                                                                                                                                            • GetModuleFileNameA.KERNEL32(00000000,1001F3C9,00000104), ref: 1000A5CB
                                                                                                                                                                                                                            • _strcpy_s.LIBCMT ref: 1000A5E0
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 1000A5F3
                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 1000A5FC
                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 1000A609
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 1000A636
                                                                                                                                                                                                                            • _strcat_s.LIBCMT ref: 1000A649
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 1000A65A
                                                                                                                                                                                                                            • _strcat_s.LIBCMT ref: 1000A66B
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 1000A67C
                                                                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F4,00000001,00000001,00000000,76EC5E70,00000003,1000A6FE,000000FC,10007C34,00000001,00000000,00000000,?,1000B162,?,00000001), ref: 1000A69B
                                                                                                                                                                                                                            • _strlen.LIBCMT ref: 1000A6BC
                                                                                                                                                                                                                            • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,1000B162,?,00000001,00000001,1000949D,00000018,1001B628,0000000C,1000952C,00000001), ref: 1000A6C6
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: __invoke_watson$_strlen$File_strcat_s_strcpy_s$HandleModuleNameWrite
                                                                                                                                                                                                                            • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                                                                                                                                                                                            • API String ID: 1879448924-4022980321
                                                                                                                                                                                                                            • Opcode ID: 4af349e1e8f6137c98c74494d34e3a9ba254edd55f11037dcb0b6f13b7d5c0d9
                                                                                                                                                                                                                            • Instruction ID: ea148cf6e80d7e79cea2e11fe5e00895b7d8e29f61cf08ee7211173885be836a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4af349e1e8f6137c98c74494d34e3a9ba254edd55f11037dcb0b6f13b7d5c0d9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E83118B69001252AF600E6208C56F7F369CEF172D0F050225FD49A519BEF37EEC241B6
                                                                                                                                                                                                                            Function 0040267F Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 421 40267f-40268f GetModuleHandleA 422 402691-402699 call 4023d3 421->422 423 40269a-4026e2 GetProcAddress * 4 421->423 424 4026e4-4026eb 423->424 425 4026fa-402719 423->425 424->425 428 4026ed-4026f4 424->428 429 40271e-40272c TlsAlloc 425->429 428->425 430 4026f6-4026f8 428->430 431 402732-40273d TlsSetValue 429->431 432 4027fe 429->432 430->425 430->429 431->432 433 402743-402792 call 401769 call 4022b3 * 4 call 402b9c 431->433 434 402800-402802 432->434 447 402794-4027af call 40232a 433->447 448 4027f9 call 4023d3 433->448 447->448 453 4027b1-4027c3 call 404107 447->453 448->432 453->448 456 4027c5-4027dc call 40232a 453->456 456->448 460 4027de-4027f7 call 402410 GetCurrentThreadId 456->460 460->434
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,00401248), ref: 00402685
                                                                                                                                                                                                                            • __mtterm.LIBCMT ref: 00402691
                                                                                                                                                                                                                              • Part of subcall function 004023D3: TlsFree.KERNEL32(00000003,004027FE), ref: 004023FE
                                                                                                                                                                                                                              • Part of subcall function 004023D3: DeleteCriticalSection.KERNEL32(00000000,00000000,7591DFB0,00000001,004027FE), ref: 00402C00
                                                                                                                                                                                                                              • Part of subcall function 004023D3: DeleteCriticalSection.KERNEL32(00000003,7591DFB0,00000001,004027FE), ref: 00402C2A
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 004026A7
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 004026B4
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 004026C1
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 004026CE
                                                                                                                                                                                                                            • TlsAlloc.KERNEL32 ref: 0040271E
                                                                                                                                                                                                                            • TlsSetValue.KERNEL32(00000000), ref: 00402739
                                                                                                                                                                                                                            • __init_pointers.LIBCMT ref: 00402743
                                                                                                                                                                                                                            • __calloc_crt.LIBCMT ref: 004027B8
                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 004027E8
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressProc$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                                                                                                                                                                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                                                                                            • API String ID: 2125014093-3819984048
                                                                                                                                                                                                                            • Opcode ID: 566b6117ed883b32ce1da04161b31b8634341426bd229c3b9e021c861b04e7bb
                                                                                                                                                                                                                            • Instruction ID: cf69b49cc4cf955eeb84bbbee0c69ed19c09a43a9505152bb4945c0e988a6b5c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 566b6117ed883b32ce1da04161b31b8634341426bd229c3b9e021c861b04e7bb
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF313931900311DADB51AB75AF49A063BA4EB44354B10053FE994B72F2DFB98540DF9E
                                                                                                                                                                                                                            Function 1000AD10 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,10008AB7,?,?,00000001,?,?,10008C27,00000001,?,?,1001B608,0000000C,10008CE1,?), ref: 1000AD16
                                                                                                                                                                                                                            • __mtterm.LIBCMT ref: 1000AD22
                                                                                                                                                                                                                              • Part of subcall function 1000A9FB: TlsFree.KERNEL32(00000001,10008B53,?,?,00000001,?,?,10008C27,00000001,?,?,1001B608,0000000C,10008CE1,?), ref: 1000AA26
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 1000AD38
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 1000AD45
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 1000AD52
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 1000AD5F
                                                                                                                                                                                                                            • TlsAlloc.KERNEL32(?,?,00000001,?,?,10008C27,00000001,?,?,1001B608,0000000C,10008CE1,?), ref: 1000ADAF
                                                                                                                                                                                                                            • TlsSetValue.KERNEL32(00000000,?,?,00000001,?,?,10008C27,00000001,?,?,1001B608,0000000C,10008CE1,?), ref: 1000ADCA
                                                                                                                                                                                                                            • __init_pointers.LIBCMT ref: 1000ADD4
                                                                                                                                                                                                                            • __calloc_crt.LIBCMT ref: 1000AE49
                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 1000AE79
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressProc$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
                                                                                                                                                                                                                            • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
                                                                                                                                                                                                                            • API String ID: 630932248-3819984048
                                                                                                                                                                                                                            • Opcode ID: 27197f949f2674e2884e29655a0beec5e1f2c8da553a5096224482f203d367b5
                                                                                                                                                                                                                            • Instruction ID: 1b7aacb4b742e95e3da3d0493d0b543e31d3ba40a5e9cc7053759451afc8b022
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 27197f949f2674e2884e29655a0beec5e1f2c8da553a5096224482f203d367b5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D5317EB1801262AAFB10EF78CC85A253FA4EB622D0B22C72EF425C71A4DF35C4C0CB51
                                                                                                                                                                                                                            Function 10017590 Relevance: 28.7, APIs: 19, Instructions: 204filesynchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetEvent.KERNEL32(FFFFFFFF), ref: 100175B7
                                                                                                                                                                                                                              • Part of subcall function 100013F0: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,100175DD,10020370), ref: 100013FC
                                                                                                                                                                                                                              • Part of subcall function 100013F0: GetSystemInfo.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,100175DD,10020370), ref: 10001411
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(100203D8,100203F0,10020370), ref: 10017613
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(100203D8), ref: 10017621
                                                                                                                                                                                                                            • ReadFile.KERNEL32(FFFFFFFF,?,00000008,00000000,?), ref: 10017661
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 1001766B
                                                                                                                                                                                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,0000000A), ref: 1001768B
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(100203D8), ref: 100176B7
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(100203D8), ref: 100176C4
                                                                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 100176D9
                                                                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 100176ED
                                                                                                                                                                                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,00001388), ref: 10017700
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(FFFFFFFF,00000000), ref: 10017719
                                                                                                                                                                                                                            • GetOverlappedResult.KERNEL32(FFFFFFFF,?,?,00000000), ref: 10017739
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(100203D8), ref: 100177F0
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(100203D8), ref: 100177FD
                                                                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 10017812
                                                                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 10017826
                                                                                                                                                                                                                            • CancelIo.KERNEL32(FFFFFFFF), ref: 10017847
                                                                                                                                                                                                                            • SetEvent.KERNEL32(FFFFFFFF), ref: 10017868
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Event$CriticalSection$EnterLeaveWait$MultipleObjects$CancelErrorFileInfoLastObjectOverlappedReadResetResultSingleSystem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2252100280-0
                                                                                                                                                                                                                            • Opcode ID: e910f63d7a54be93efb29594c5c449f4169a1d0cc538782f8b68b19805b9bf9f
                                                                                                                                                                                                                            • Instruction ID: f695dd025300f569b5dc1954a0fe927f0ea0d4c7cb43f690e196a72113c686ee
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e910f63d7a54be93efb29594c5c449f4169a1d0cc538782f8b68b19805b9bf9f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 147180719093A19FE341DB64CCC4A5E7BFAFB88344F51881DF549CB262D630E945CB52
                                                                                                                                                                                                                            Function 10013790 Relevance: 28.2, APIs: 9, Strings: 7, Instructions: 156fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __snprintf.LIBCMT ref: 100137C7
                                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,40000000,00000000,?,?,?,?,00000000), ref: 100137EF
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 100137F9
                                                                                                                                                                                                                            • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,40000000,00000000,?,?,?,?,?,00000000), ref: 10013846
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 1001384A
                                                                                                                                                                                                                            • _memset.LIBCMT ref: 1001386F
                                                                                                                                                                                                                            • GetVersionExA.KERNEL32 ref: 10013884
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(00000000,0022019C,00000000,00000000,?,00000004,?,00000000), ref: 100138A8
                                                                                                                                                                                                                            • SetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 10013975
                                                                                                                                                                                                                              • Part of subcall function 10013540: OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 100135C3
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ErrorLast$CreateFile$ControlDeviceManagerOpenVersion__snprintf_memset
                                                                                                                                                                                                                            • String ID: %s%s$360netmon$\\.\CtrlSM$aswstm$aswstm$nisdrv$symnets
                                                                                                                                                                                                                            • API String ID: 3009835240-779568551
                                                                                                                                                                                                                            • Opcode ID: a3a7f9f4621a4370de1945aa5ff1c6f54205322984f1227c5b51e51712c71830
                                                                                                                                                                                                                            • Instruction ID: baa3f68826ae7ef6a95450bd968b4d24564606f9d9b479f6fa913fa53dd98394
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3a7f9f4621a4370de1945aa5ff1c6f54205322984f1227c5b51e51712c71830
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B641F6F5904341ABE610DB649C82F9B77E8EB81758F00852DF6456A1C2EB71E9C8C763
                                                                                                                                                                                                                            Function 10012E20 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 110registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\GroupOrderList,00000000,00000003,?,?,00000001,?,?,00000000), ref: 10012E39
                                                                                                                                                                                                                            • RegQueryValueExA.ADVAPI32(?,PNP_TDI,00000000,?,00000000,?,00000000), ref: 10012E70
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,00000001), ref: 10012E7B
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseOpenQueryValue
                                                                                                                                                                                                                            • String ID: PNP_TDI$PNP_TDI$PNP_TDI$SYSTEM\CurrentControlSet\Control\GroupOrderList
                                                                                                                                                                                                                            • API String ID: 3677997916-2641009432
                                                                                                                                                                                                                            • Opcode ID: 2eb10eaa1c7938493b03d9852b263a48069f7a2f456ef6b17a8b5cbc44dafcf6
                                                                                                                                                                                                                            • Instruction ID: adba37e169228668f0a2802fe9bc245960bfac646b6212eb4cbe9f041a721e83
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2eb10eaa1c7938493b03d9852b263a48069f7a2f456ef6b17a8b5cbc44dafcf6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6531A1B6500311ABE711DB64EC86FDB77E8EF48641F504428F649D7240E730E854C7A1
                                                                                                                                                                                                                            Function 10013020 Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 88registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __snprintf.LIBCMT ref: 10013094
                                                                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00000003,?,?,?,?,?), ref: 100130AF
                                                                                                                                                                                                                            • RegSetValueExA.ADVAPI32(?,Group,00000000,00000001,?,00000005), ref: 100130F6
                                                                                                                                                                                                                            • RegSetValueExA.ADVAPI32(?,DependOnService,00000000,00000007,?,00000007), ref: 1001310D
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?), ref: 10013133
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$CloseOpen__snprintf
                                                                                                                                                                                                                            • String ID: DependOnService$Group$Group$NDIS$PNP_TDI$SYSTEM\CurrentControlSet\Services\%s$tcpip
                                                                                                                                                                                                                            • API String ID: 1654562893-4206996638
                                                                                                                                                                                                                            • Opcode ID: 8e36c738326b6755c6e6de9151109be2b92cdf69e4b2cd075e3ef94430a67263
                                                                                                                                                                                                                            • Instruction ID: f39133bfa4f10865251ae0e01663f88c1eeb0859d6cfe85fe8bdc8d9a42c57b8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e36c738326b6755c6e6de9151109be2b92cdf69e4b2cd075e3ef94430a67263
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AF316675618350AFE715CB64CC91FAB77E5AB8D710F40C80CF68897290EA74E984CBD2
                                                                                                                                                                                                                            Function 00403474 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,0040B040,00401917,0040B040,Microsoft Visual C++ Runtime Library,00012010), ref: 004034A1
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 004034BD
                                                                                                                                                                                                                              • Part of subcall function 004022B3: TlsGetValue.KERNEL32(00000000,00402328,00000000,00403482,00000000,00000000,00000314,?,?,?,0040B040,00401917,0040B040,Microsoft Visual C++ Runtime Library,00012010), ref: 004022C0
                                                                                                                                                                                                                              • Part of subcall function 004022B3: TlsGetValue.KERNEL32(00000006,?,?,?,0040B040,00401917,0040B040,Microsoft Visual C++ Runtime Library,00012010), ref: 004022D7
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004034DA
                                                                                                                                                                                                                              • Part of subcall function 004022B3: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B040,00401917,0040B040,Microsoft Visual C++ Runtime Library,00012010), ref: 004022EC
                                                                                                                                                                                                                              • Part of subcall function 004022B3: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00402307
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 004034EF
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 00403510
                                                                                                                                                                                                                              • Part of subcall function 00402D4D: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 00402DF7
                                                                                                                                                                                                                              • Part of subcall function 00402D4D: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 00402E01
                                                                                                                                                                                                                              • Part of subcall function 00402D4D: UnhandledExceptionFilter.KERNEL32(0040B040,?,?,00000000), ref: 00402E0B
                                                                                                                                                                                                                              • Part of subcall function 00402D4D: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 00402E26
                                                                                                                                                                                                                              • Part of subcall function 00402D4D: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 00402E2D
                                                                                                                                                                                                                              • Part of subcall function 0040232A: TlsGetValue.KERNEL32(00000000,004023BF,?,004024E4,?,?,0040199A), ref: 00402337
                                                                                                                                                                                                                              • Part of subcall function 0040232A: TlsGetValue.KERNEL32(00000006,?,004024E4,?,?,0040199A), ref: 0040234E
                                                                                                                                                                                                                              • Part of subcall function 0040232A: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,004024E4,?,?,0040199A), ref: 00402363
                                                                                                                                                                                                                              • Part of subcall function 0040232A: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040237E
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 00403524
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 0040353C
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 004035AF
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate
                                                                                                                                                                                                                            • String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                                                                                                                                                                            • API String ID: 2691309996-1046234306
                                                                                                                                                                                                                            • Opcode ID: f1db5f22bdf6dbb55a5fef3c5404ea4e20a60e7af2fc674b508acf6c650a639d
                                                                                                                                                                                                                            • Instruction ID: 13767e751e4e8118919b7ef88e5ef330d54a0fa0e132c7187f46cb55eadbc1d1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f1db5f22bdf6dbb55a5fef3c5404ea4e20a60e7af2fc674b508acf6c650a639d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FC416271D04205BACF21AFE59E8596F7FACEB44356B14487FE401F22D0DBBD8A408A9D
                                                                                                                                                                                                                            Function 1000EA12 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 164libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LoadLibraryA.KERNEL32(USER32.DLL,00000000,00000000,00000314,?,?,?,1001F3B0,1000A694,1001F3B0,Microsoft Visual C++ Runtime Library,00012010), ref: 1000EA3F
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,MessageBoxA), ref: 1000EA5B
                                                                                                                                                                                                                              • Part of subcall function 1000A8A7: TlsGetValue.KERNEL32(00000000,1000A91C,00000000,1000EA20,00000000,00000000,00000314,?,?,?,1001F3B0,1000A694,1001F3B0,Microsoft Visual C++ Runtime Library,00012010), ref: 1000A8B4
                                                                                                                                                                                                                              • Part of subcall function 1000A8A7: TlsGetValue.KERNEL32(00000002,?,?,?,1001F3B0,1000A694,1001F3B0,Microsoft Visual C++ Runtime Library,00012010), ref: 1000A8CB
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000EA78
                                                                                                                                                                                                                              • Part of subcall function 1000A8A7: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,1001F3B0,1000A694,1001F3B0,Microsoft Visual C++ Runtime Library,00012010), ref: 1000A8E0
                                                                                                                                                                                                                              • Part of subcall function 1000A8A7: GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 1000A8FB
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 1000EA8D
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 1000EAAE
                                                                                                                                                                                                                              • Part of subcall function 100081EF: _memset.LIBCMT ref: 1000827B
                                                                                                                                                                                                                              • Part of subcall function 100081EF: IsDebuggerPresent.KERNEL32(?,?,00000000), ref: 10008299
                                                                                                                                                                                                                              • Part of subcall function 100081EF: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000000), ref: 100082A3
                                                                                                                                                                                                                              • Part of subcall function 100081EF: UnhandledExceptionFilter.KERNEL32(1001F3B0,?,?,00000000), ref: 100082AD
                                                                                                                                                                                                                              • Part of subcall function 100081EF: GetCurrentProcess.KERNEL32(C000000D,?,?,00000000), ref: 100082C8
                                                                                                                                                                                                                              • Part of subcall function 100081EF: TerminateProcess.KERNEL32(00000000,?,?,00000000), ref: 100082CF
                                                                                                                                                                                                                              • Part of subcall function 1000A91E: TlsGetValue.KERNEL32(?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001,?,?,10008C27,00000001,?,?,1001B608), ref: 1000A92B
                                                                                                                                                                                                                              • Part of subcall function 1000A91E: TlsGetValue.KERNEL32(00000002,?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001,?,?,10008C27,00000001), ref: 1000A942
                                                                                                                                                                                                                              • Part of subcall function 1000A91E: GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001,?,?,10008C27,00000001), ref: 1000A957
                                                                                                                                                                                                                              • Part of subcall function 1000A91E: GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 1000A972
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetUserObjectInformationA), ref: 1000EAC2
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,GetProcessWindowStation), ref: 1000EADA
                                                                                                                                                                                                                            • __invoke_watson.LIBCMT ref: 1000EB4D
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressProc$Value$ExceptionFilterHandleModuleProcessUnhandled__invoke_watson$CurrentDebuggerLibraryLoadPresentTerminate_memset
                                                                                                                                                                                                                            • String ID: GetProcessWindowStation$GetUserObjectInformationA$MessageBoxA$USER32.DLL
                                                                                                                                                                                                                            • API String ID: 2940365033-1046234306
                                                                                                                                                                                                                            • Opcode ID: d07f4621edcdfa6a2460bf8fc81f84a922532c73ec9128826bd03ea427b93a6a
                                                                                                                                                                                                                            • Instruction ID: 9cd623b29455d8c5ce966f6a502c8aefc0998dc8575b976e3ae0cba05518725e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d07f4621edcdfa6a2460bf8fc81f84a922532c73ec9128826bd03ea427b93a6a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D418C75D04299AAFF04EFA4CCC596E7BE9EF153C0B11452EE402F2155DB38EA848B62
                                                                                                                                                                                                                            Function 10017AB0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 161COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32 ref: 10017AF0
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10017CE3
                                                                                                                                                                                                                              • Part of subcall function 10012D70: RegOpenKeyExA.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters,00000000,00000003,?,?,?,10013525,00000000), ref: 10012D86
                                                                                                                                                                                                                              • Part of subcall function 10012D00: RegOpenKeyExA.KERNELBASE(80000002,SYSTEM\CurrentControlSet\Services\Tcpip\Parameters,00000000,00000002,00000000,00000000,00000000), ref: 10012D15
                                                                                                                                                                                                                              • Part of subcall function 10013790: __snprintf.LIBCMT ref: 100137C7
                                                                                                                                                                                                                              • Part of subcall function 10013790: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,40000000,00000000,?,?,?,?,00000000), ref: 100137EF
                                                                                                                                                                                                                              • Part of subcall function 10013790: GetLastError.KERNEL32(?,?,?,?,00000000), ref: 100137F9
                                                                                                                                                                                                                              • Part of subcall function 10013790: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,40000000,00000000,?,?,?,?,?,00000000), ref: 10013846
                                                                                                                                                                                                                              • Part of subcall function 10013790: GetLastError.KERNEL32(?,?,?,?,?,00000000), ref: 1001384A
                                                                                                                                                                                                                              • Part of subcall function 10013790: _memset.LIBCMT ref: 1001386F
                                                                                                                                                                                                                              • Part of subcall function 10013790: GetVersionExA.KERNEL32 ref: 10013884
                                                                                                                                                                                                                              • Part of subcall function 10013790: DeviceIoControl.KERNEL32(00000000,0022019C,00000000,00000000,?,00000004,?,00000000), ref: 100138A8
                                                                                                                                                                                                                            • _strncpy.LIBCMT ref: 10017B59
                                                                                                                                                                                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 10017B93
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,0012C800,00000000,00000000,10020180,00000020,00000000,?), ref: 10017BD9
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 10017BE3
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(FFFFFFFF), ref: 10017C01
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 10017C13
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10017C1A
                                                                                                                                                                                                                            • GetOverlappedResult.KERNEL32(FFFFFFFF,?,?,00000001), ref: 10017C48
                                                                                                                                                                                                                            • ?nf_free@nfapi@@YAXXZ.NFAPI ref: 10017CC2
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateCriticalErrorLastSection$CloseControlDeviceFileHandleLeaveOpen$?nf_free@nfapi@@EnterEventOverlappedResultVersion__snprintf_memset_strncpy
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2653159964-3916222277
                                                                                                                                                                                                                            • Opcode ID: 3f87b7c55b4061039f33afb2760d837fa2a97d9a8f10da4fd9a74bcaa174a95a
                                                                                                                                                                                                                            • Instruction ID: 607d77e5ab761dd3358ab37ac97749732553c8b829fe0467e4f2801d9018e119
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f87b7c55b4061039f33afb2760d837fa2a97d9a8f10da4fd9a74bcaa174a95a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F51C0B08043549FE341CF38CCC565A7BE9FB08364F60462DF559DB2A2D735DA858B92
                                                                                                                                                                                                                            Function 10014CF0 Relevance: 18.2, APIs: 12, Instructions: 157fileCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020324), ref: 10014D6E
                                                                                                                                                                                                                            • WriteFile.KERNEL32(FFFFFFFF,?,00000008,00000000,?), ref: 10014DF8
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 10014E02
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020324), ref: 10014E14
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$EnterErrorFileLastLeaveWrite
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1726892732-0
                                                                                                                                                                                                                            • Opcode ID: 9df71c563617eb9f339eaef5488ee90d51df01b4ebf1fcf1fc522e00c65f13bd
                                                                                                                                                                                                                            • Instruction ID: e6d18f47d42f15309a32aad744ee6051ace0a6f11929ee79e8724ce5300da237
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9df71c563617eb9f339eaef5488ee90d51df01b4ebf1fcf1fc522e00c65f13bd
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 14515971A043219FD304CF68EC84A66B7E9FB88720F118A5EF959CB2A1DB30D9458B91
                                                                                                                                                                                                                            Function 10014ED0 Relevance: 18.1, APIs: 12, Instructions: 116filesynchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020324,?,?,?,?,?,?,?,?,?,1001536D), ref: 10014F3F
                                                                                                                                                                                                                            • WriteFile.KERNEL32(FFFFFFFF,?,00000008,00000000,?), ref: 10014F8F
                                                                                                                                                                                                                            • GetLastError.KERNEL32 ref: 10014F99
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020324), ref: 10014FAB
                                                                                                                                                                                                                            • WaitForMultipleObjects.KERNEL32(00000002,?,00000000,000000FF), ref: 10014FC6
                                                                                                                                                                                                                            • CancelIo.KERNEL32(FFFFFFFF), ref: 10014FD7
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020324), ref: 10014FE2
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(FFFFFFFF,00000000), ref: 10014FF9
                                                                                                                                                                                                                            • CancelIo.KERNEL32(FFFFFFFF), ref: 10015009
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020324), ref: 10015014
                                                                                                                                                                                                                            • GetOverlappedResult.KERNEL32(FFFFFFFF,?,?,00000000), ref: 1001502F
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020324), ref: 1001504B
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$CancelWait$EnterErrorFileLastMultipleObjectObjectsOverlappedResultSingleWrite
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 875271372-0
                                                                                                                                                                                                                            • Opcode ID: 4956b33f9505844bcca6f3e2d83279b108e1b3c573e129efff33a3fba19fd776
                                                                                                                                                                                                                            • Instruction ID: 56031a59c6608db13f70e1c4f4aa1c6cc63b7cc0fadcfe5918aabc4c2d2b60d1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4956b33f9505844bcca6f3e2d83279b108e1b3c573e129efff33a3fba19fd776
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3418E359043209FE305CF68CCC5A6A77E5FB88760F51CA1DF9A9CA2A1DB30D9458B92
                                                                                                                                                                                                                            Function 00402410 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409438,0000000C,00402521,00000000,00000000,?,?,0040199A), ref: 00402421
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,EncodePointer), ref: 00402455
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,DecodePointer), ref: 00402465
                                                                                                                                                                                                                            • InterlockedIncrement.KERNEL32(0040A460), ref: 00402487
                                                                                                                                                                                                                            • __lock.LIBCMT ref: 0040248F
                                                                                                                                                                                                                            • ___addlocaleref.LIBCMT ref: 004024AE
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                                                                                                                                                                                                                            • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                                                                                                                                                            • API String ID: 1036688887-2843748187
                                                                                                                                                                                                                            • Opcode ID: 492f236ed60c7165788bb238f70ef5b424b799d510fd4f5d693c5339c7311626
                                                                                                                                                                                                                            • Instruction ID: c1e121c7a9f45585e2cf3b5064cbb5a882fb755c8da4f7f00742ea9dc2ffa3f8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 492f236ed60c7165788bb238f70ef5b424b799d510fd4f5d693c5339c7311626
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C41182719407019ED710AF75DA49B5ABBE4EF44314F10853EE495B32D1CBBC9900CF19
                                                                                                                                                                                                                            Function 1000AA38 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 49libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,1001B668,0000000C,1000AB49,00000000,00000000,?,?,?,1000A968,?,1000ACF2,00000000,00000000,10008BC3,00000000), ref: 1000AA49
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,EncodePointer), ref: 1000AA7D
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(?,DecodePointer), ref: 1000AA8D
                                                                                                                                                                                                                            • InterlockedIncrement.KERNEL32(1001E5E0), ref: 1000AAAF
                                                                                                                                                                                                                            • __lock.LIBCMT ref: 1000AAB7
                                                                                                                                                                                                                            • ___addlocaleref.LIBCMT ref: 1000AAD6
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressProc$HandleIncrementInterlockedModule___addlocaleref__lock
                                                                                                                                                                                                                            • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                                                                                                                                                                                                                            • API String ID: 1036688887-2843748187
                                                                                                                                                                                                                            • Opcode ID: 6cb8d5c28d5074f433760f6667332ab0361c674de9d04a8c3266a8bd50229b50
                                                                                                                                                                                                                            • Instruction ID: bcf2beea3aee41d2aa15f995c6c6d73addff0134c8f7c4ab08a319bce46e109a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6cb8d5c28d5074f433760f6667332ab0361c674de9d04a8c3266a8bd50229b50
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F116DB49007469FEB11DF75CC45B9ABBE0EF06380F008519E5A59B291DB34EA80CB11
                                                                                                                                                                                                                            Function 10015FC0 Relevance: 13.7, APIs: 9, Instructions: 239COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 10015FFC
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10016018
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10016046
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2978645861-0
                                                                                                                                                                                                                            • Opcode ID: 40f431bcfea2067bdb45210c7ca3e5ac481c5a134223d9d1211dde7a8a90e341
                                                                                                                                                                                                                            • Instruction ID: 371fddef53dbc4fe45c556ef6c540f006288db7d7992a80969627ba83df88eb7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40f431bcfea2067bdb45210c7ca3e5ac481c5a134223d9d1211dde7a8a90e341
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C191A875A047009FD321CF28CD80A1AB7E5FF88750F418A6DF94A8B252D735E944CB92
                                                                                                                                                                                                                            Function 10013240 Relevance: 12.5, APIs: 3, Strings: 4, Instructions: 207registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 10012F40: __snprintf.LIBCMT ref: 10012F6E
                                                                                                                                                                                                                              • Part of subcall function 10012F40: RegOpenKeyExA.KERNELBASE(80000002,?,00000000,00000003,?,?,?,?,?), ref: 10012F89
                                                                                                                                                                                                                              • Part of subcall function 10012E20: RegOpenKeyExA.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\GroupOrderList,00000000,00000003,?,?,00000001,?,?,00000000), ref: 10012E39
                                                                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,SYSTEM\CurrentControlSet\Control\GroupOrderList,00000000,00000003,?), ref: 1001343E
                                                                                                                                                                                                                            • RegSetValueExA.ADVAPI32(?,PNP_TDI,00000000,00000003,?,00000004), ref: 10013471
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 1001347C
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Open$CloseValue__snprintf
                                                                                                                                                                                                                            • String ID: PNP_TDI$SYSTEM\CurrentControlSet\Control\GroupOrderList$Tcpip$Tdx
                                                                                                                                                                                                                            • API String ID: 955868693-1105926044
                                                                                                                                                                                                                            • Opcode ID: fda263ff1de41ce67b71e2831dee39c8819067ff8ff0548a34e60e809be7e6e4
                                                                                                                                                                                                                            • Instruction ID: 9d99394d333599788a4544cf258fe4bbb44c0789f27ec8b116fc68fb94e8051e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fda263ff1de41ce67b71e2831dee39c8819067ff8ff0548a34e60e809be7e6e4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 236107715003019BC711DF28C881B9BB7E5FB81794F508B2CF9A59B181E732FA9AC792
                                                                                                                                                                                                                            Function 10003970 Relevance: 12.3, APIs: 8, Instructions: 344COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32 ref: 100039B6
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020168), ref: 10003C89
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 10003CBA
                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 10003CBE
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 10003CDD
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 10003D10
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 10003D80
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1001AF8C), ref: 10003DA0
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter$_malloc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2624469294-0
                                                                                                                                                                                                                            • Opcode ID: 73d3a381d48c90c82b24558e07d01c406c18051549b067fe898d807a957dde11
                                                                                                                                                                                                                            • Instruction ID: cb4e14372f68c81d32fb7b051c2ec7f8ea7fe710ba1d4691e8c8f5f753e74d5d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 73d3a381d48c90c82b24558e07d01c406c18051549b067fe898d807a957dde11
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84D147755043459FE721EF24C98095AB7E9FF88790F02C91DE8999B249DB31FA00CFA2
                                                                                                                                                                                                                            Function 10002EF0 Relevance: 12.3, APIs: 8, Instructions: 344COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32 ref: 10002F36
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020168), ref: 10003209
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 1000323A
                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 1000323E
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 1000325D
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 10003290
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 10003300
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1001AF8C), ref: 10003320
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter$_malloc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2624469294-0
                                                                                                                                                                                                                            • Opcode ID: 6e5e0db70783d2082ef5619a72b906c060462fccdc8a4732c9d5e6cd8a7c2023
                                                                                                                                                                                                                            • Instruction ID: 7535f423654ff115b8a10d663302ad89ce6d265461ec07cf54a4ab5d377fff5f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6e5e0db70783d2082ef5619a72b906c060462fccdc8a4732c9d5e6cd8a7c2023
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35D159755043459FE721DF54C98095AB7E9FF88790F12CA2DE8998B249DB30FA00CFA2
                                                                                                                                                                                                                            Function 10015980 Relevance: 12.1, APIs: 8, Instructions: 98COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C,?,?,?,?,?,10015F9A,?,?,?,?,00000000,00000000), ref: 10015994
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?,?,?,10015F9A,?,?,?,?,00000000,00000000), ref: 100159AA
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020168,?,?,?,10015F9A,?,?,?,?,00000000,00000000), ref: 100159BD
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168,?,?,?,10015F9A,?,?,?,?,00000000,00000000), ref: 100159EA
                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 100159EE
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10015A0D
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter$_malloc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2624469294-0
                                                                                                                                                                                                                            • Opcode ID: 83a868a5a413f7be5035703166637c7b296de766c062b8faf5188e187a6a0587
                                                                                                                                                                                                                            • Instruction ID: 716dd50c4406e69af5a644168b3a8d86a91ffbed9d73fa53db93a722c9a7554d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83a868a5a413f7be5035703166637c7b296de766c062b8faf5188e187a6a0587
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86310972601315CFD711CF6CDC80999B7E6EF94262B6A822BF558CF251DB32D8448B92
                                                                                                                                                                                                                            Function 10015AA0 Relevance: 12.1, APIs: 8, Instructions: 98COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C,?,?,?,?,?,1001636E,?,00000000,?,?,00000000,00000000), ref: 10015AB4
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?,?,?,1001636E,?,00000000,?,?,00000000,00000000), ref: 10015ACA
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020168,?,?,?,1001636E,?,00000000,?,?,00000000,00000000), ref: 10015ADD
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168,?,?,?,1001636E,?,00000000,?,?,00000000,00000000), ref: 10015B0A
                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 10015B0E
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10015B2D
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter$_malloc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2624469294-0
                                                                                                                                                                                                                            • Opcode ID: 0b1f382d706e44ec0e1a58c49b7b50b2d9c2de06ca5ddb6f4ca569de45bb812b
                                                                                                                                                                                                                            • Instruction ID: 0036e264ff8d4791e783871741635e394cc451c67550918a7cfab00ff319ecfa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0b1f382d706e44ec0e1a58c49b7b50b2d9c2de06ca5ddb6f4ca569de45bb812b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC310B72641355CFD311CF2CDC80999B3E5EF94262B6A422BF559CF252DB32E8448B91
                                                                                                                                                                                                                            Function 10014B10 Relevance: 12.1, APIs: 8, Instructions: 88COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 10014B16
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014B2B
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,002201BC,00000000,00000000,00000000,00000000,?,00000000), ref: 10014B54
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014B5F
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3744975357-0
                                                                                                                                                                                                                            • Opcode ID: 02bb3fff05f25983f8711dfb826126a47c4f04985e71065dc7fb2bdb1fcbf30f
                                                                                                                                                                                                                            • Instruction ID: 02a2f6b1c1c0d08758aff6957e8ee0c5b887a2a9afcc407cdac575b478d4874d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 02bb3fff05f25983f8711dfb826126a47c4f04985e71065dc7fb2bdb1fcbf30f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2521E772359311BFF210CBA8ACC6F963399EB84F71F224609F715AA0D1DF70E8448666
                                                                                                                                                                                                                            Function 10014C00 Relevance: 12.1, APIs: 8, Instructions: 88COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 10014C06
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014C1B
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,002201BC,00000000,00000000,00000000,00000000,?,00000000), ref: 10014C44
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014C4F
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3744975357-0
                                                                                                                                                                                                                            • Opcode ID: 19f12ee8c8cf86aad4f1a8f5e61e85f259d81ceda6a06445ab1c933b9452340a
                                                                                                                                                                                                                            • Instruction ID: 4bb90ba6e2ddb0c313f38f00bcf08c1032174cdcc12a3aad3dba23a14210028a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 19f12ee8c8cf86aad4f1a8f5e61e85f259d81ceda6a06445ab1c933b9452340a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4A210872351311BFF210C7A8AC85F967399EB88F71F224608F7149A0D1DFB0E94486A5
                                                                                                                                                                                                                            Function 100179F0 Relevance: 12.1, APIs: 8, Instructions: 55synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C,00000000,?,10017CBE), ref: 100179F9
                                                                                                                                                                                                                            • ResetEvent.KERNEL32(FFFFFFFF,?,10017CBE), ref: 10017A2E
                                                                                                                                                                                                                            • ResetEvent.KERNEL32(FFFFFFFF,?,10017CBE), ref: 10017A37
                                                                                                                                                                                                                            • ResetEvent.KERNEL32(FFFFFFFF,?,10017CBE), ref: 10017A40
                                                                                                                                                                                                                            • SetEvent.KERNEL32(FFFFFFFF), ref: 10017A67
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?,10017CBE), ref: 10017A7C
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(FFFFFFFF,000000FF), ref: 10017A96
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10017AA1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Event$CriticalResetSection$Leave$EnterObjectSingleWait
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 227606595-0
                                                                                                                                                                                                                            • Opcode ID: 0af12d4d274b4158eff6cb139f5dbd0a4003279a660a605caf6bf13278f8ed7d
                                                                                                                                                                                                                            • Instruction ID: 370ae82c3914d7338aeaefb3dba61d6cd4c1daa1705ad23ed54f4bf6628b88f1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0af12d4d274b4158eff6cb139f5dbd0a4003279a660a605caf6bf13278f8ed7d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 93115E729103719FF315DB648C88B5937A9EB4C761F21C319FA29861E1DB30D9418F91
                                                                                                                                                                                                                            Function 100169E0 Relevance: 10.8, APIs: 7, Instructions: 347COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32 ref: 10016A2B
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 10016B87
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 10016CFD
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,76EBFFB0,00000000), ref: 10017214
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 1001721F
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$CountEnterTick$Leave
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1274362258-0
                                                                                                                                                                                                                            • Opcode ID: ef1edd5c790a106658f1642739d45defef9679afc4e8f9f2e44516cc589d5311
                                                                                                                                                                                                                            • Instruction ID: 3fd2e9f8bc7037484baf15cc0afc36f40eff77f3799c9f8376e09abcfaaf5b27
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef1edd5c790a106658f1642739d45defef9679afc4e8f9f2e44516cc589d5311
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9BD15775A04645EFDB10CF14CC80A9AB7F5FF88354F108529F9598B252EB34FA86CBA1
                                                                                                                                                                                                                            Function 1000F36B Relevance: 10.7, APIs: 7, Instructions: 158COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • getSystemCP.LIBCMT ref: 1000F384
                                                                                                                                                                                                                              • Part of subcall function 1000F2F1: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 1000F2FE
                                                                                                                                                                                                                              • Part of subcall function 1000F2F1: GetOEMCP.KERNEL32(00000000,?,1000D589,?,00000000,7591F380), ref: 1000F318
                                                                                                                                                                                                                            • setSBCS.LIBCMT ref: 1000F396
                                                                                                                                                                                                                              • Part of subcall function 1000F06E: _memset.LIBCMT ref: 1000F081
                                                                                                                                                                                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,1001B930), ref: 1000F3DC
                                                                                                                                                                                                                            • GetCPInfo.KERNEL32(00000000,1000F6EE), ref: 1000F3EF
                                                                                                                                                                                                                            • _memset.LIBCMT ref: 1000F407
                                                                                                                                                                                                                            • setSBUpLow.LIBCMT ref: 1000F4DA
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Locale_memset$CodeInfoPageSystemUpdateUpdate::_Valid
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2658552758-0
                                                                                                                                                                                                                            • Opcode ID: a816b4c44936828a5225c1a25b1e8420490dbca548ce3019b9a4bf18463ab438
                                                                                                                                                                                                                            • Instruction ID: 2d63987005470fd1933f97c79db1aac5b43ce9987930df9b1300e43a0dccfd1d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a816b4c44936828a5225c1a25b1e8420490dbca548ce3019b9a4bf18463ab438
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C25112719042568BEB15CF24C8802BFBBE4EF043C1F14846EED869B54AD638DA42EB91
                                                                                                                                                                                                                            Function 10015830 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 10015845
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10015855
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 1001586D
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020168), ref: 10015874
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 100158A4
                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 100158A8
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter$_malloc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2624469294-0
                                                                                                                                                                                                                            • Opcode ID: af66a572ff308366c586223bea1b859f2b64d82aec888bcbbc6575e257e25f9f
                                                                                                                                                                                                                            • Instruction ID: b4838676840f3e74a045a70f2e4b7778d9ead1c68319ad0b4665687bbdc5929c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: af66a572ff308366c586223bea1b859f2b64d82aec888bcbbc6575e257e25f9f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC31E532A002148FD711DF2CDC81969B3D6FF84261B59866AE828DF291EB32DC548BD1
                                                                                                                                                                                                                            Function 10015510 Relevance: 10.6, APIs: 7, Instructions: 95COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 1001551F
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10015533
                                                                                                                                                                                                                            • __aullrem.LIBCMT ref: 10015558
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?,?,00000000,00000000), ref: 1001557E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter__aullrem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1392406986-0
                                                                                                                                                                                                                            • Opcode ID: d1b92c9a15aa5841480ea886cd8603e293953e3d95721df58c3ef1283f84292e
                                                                                                                                                                                                                            • Instruction ID: eb2839e93686e6e60da02978a6273212bfb1d6ef73694f74e7e96aae41cfea2c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1b92c9a15aa5841480ea886cd8603e293953e3d95721df58c3ef1283f84292e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 002104367006148FD310CB6DEC88A5577EBEF88672F654269FA1CCF291DB32D88486D0
                                                                                                                                                                                                                            Function 10015740 Relevance: 10.6, APIs: 7, Instructions: 78COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 10015753
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10015763
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 1001577A
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020168), ref: 10015781
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 100157A8
                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 100157AC
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter$_malloc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2624469294-0
                                                                                                                                                                                                                            • Opcode ID: 8d90196d2bee32e8d3484feec3460c9a7be0d346ac3607533073b5423734d643
                                                                                                                                                                                                                            • Instruction ID: 49e631b63e63f54fa41d8579300819fad08862a6ee69802ca296dd5302bd9675
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8d90196d2bee32e8d3484feec3460c9a7be0d346ac3607533073b5423734d643
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0121A176A04315CBD310DB28EC02A5973D5EB84761B0A436AE8588F2D1DB72D8508BD1
                                                                                                                                                                                                                            Function 004022B3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • TlsGetValue.KERNEL32(00000000,00402328,00000000,00403482,00000000,00000000,00000314,?,?,?,0040B040,00401917,0040B040,Microsoft Visual C++ Runtime Library,00012010), ref: 004022C0
                                                                                                                                                                                                                            • TlsGetValue.KERNEL32(00000006,?,?,?,0040B040,00401917,0040B040,Microsoft Visual C++ Runtime Library,00012010), ref: 004022D7
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,0040B040,00401917,0040B040,Microsoft Visual C++ Runtime Library,00012010), ref: 004022EC
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00402307
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$AddressHandleModuleProc
                                                                                                                                                                                                                            • String ID: EncodePointer$KERNEL32.DLL
                                                                                                                                                                                                                            • API String ID: 1929421221-3682587211
                                                                                                                                                                                                                            • Opcode ID: 1a385f102c7f14214112f7259b1974e6b0907a5b8e91fbf1077ec2ee8662ada9
                                                                                                                                                                                                                            • Instruction ID: 50336ba6c918c6c116f5e3fcbab542df5951bbe2d872b07961eb55563d71e960
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a385f102c7f14214112f7259b1974e6b0907a5b8e91fbf1077ec2ee8662ada9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BFF06D301056129BDA529B74EF08A6B7BA5AF40394B15047AB854F62F4CF78CC11DA6D
                                                                                                                                                                                                                            Function 0040232A Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • TlsGetValue.KERNEL32(00000000,004023BF,?,004024E4,?,?,0040199A), ref: 00402337
                                                                                                                                                                                                                            • TlsGetValue.KERNEL32(00000006,?,004024E4,?,?,0040199A), ref: 0040234E
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,004024E4,?,?,0040199A), ref: 00402363
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 0040237E
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$AddressHandleModuleProc
                                                                                                                                                                                                                            • String ID: DecodePointer$KERNEL32.DLL
                                                                                                                                                                                                                            • API String ID: 1929421221-629428536
                                                                                                                                                                                                                            • Opcode ID: b796f7a9d0800bb9e160982425eb8aa8e27173a6ee7dc456a018aa060cd778d7
                                                                                                                                                                                                                            • Instruction ID: b3a0eb18012e6aadf2811430fba97e87ad444e4cba862865431688a9bf4f90a9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b796f7a9d0800bb9e160982425eb8aa8e27173a6ee7dc456a018aa060cd778d7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1F01230501623ABD712A734DF08A5B3AA59F41390715413ABC58F62F4DB7CCD12865D
                                                                                                                                                                                                                            Function 1000A8A7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • TlsGetValue.KERNEL32(00000000,1000A91C,00000000,1000EA20,00000000,00000000,00000314,?,?,?,1001F3B0,1000A694,1001F3B0,Microsoft Visual C++ Runtime Library,00012010), ref: 1000A8B4
                                                                                                                                                                                                                            • TlsGetValue.KERNEL32(00000002,?,?,?,1001F3B0,1000A694,1001F3B0,Microsoft Visual C++ Runtime Library,00012010), ref: 1000A8CB
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,?,?,1001F3B0,1000A694,1001F3B0,Microsoft Visual C++ Runtime Library,00012010), ref: 1000A8E0
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 1000A8FB
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$AddressHandleModuleProc
                                                                                                                                                                                                                            • String ID: EncodePointer$KERNEL32.DLL
                                                                                                                                                                                                                            • API String ID: 1929421221-3682587211
                                                                                                                                                                                                                            • Opcode ID: 698cc03a02ed437f9e78c1477e8a38eecfbfb8aad5433eb0b7b92186c3789519
                                                                                                                                                                                                                            • Instruction ID: caffd8b91c38bffb5cca897b74d77eec42bfe04cae3721fbb3b20170df584618
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 698cc03a02ed437f9e78c1477e8a38eecfbfb8aad5433eb0b7b92186c3789519
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9F01D30A05626AFFA51DB24CC8895A3BD8DF467D07028624F854E71B8DF30CED29B51
                                                                                                                                                                                                                            Function 1000A91E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36libraryloaderCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • TlsGetValue.KERNEL32(?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001,?,?,10008C27,00000001,?,?,1001B608), ref: 1000A92B
                                                                                                                                                                                                                            • TlsGetValue.KERNEL32(00000002,?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001,?,?,10008C27,00000001), ref: 1000A942
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(KERNEL32.DLL,?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001,?,?,10008C27,00000001), ref: 1000A957
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000,DecodePointer), ref: 1000A972
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$AddressHandleModuleProc
                                                                                                                                                                                                                            • String ID: DecodePointer$KERNEL32.DLL
                                                                                                                                                                                                                            • API String ID: 1929421221-629428536
                                                                                                                                                                                                                            • Opcode ID: 849bf8aa20e695c811e63e4f389fbd3f38ad5f5727a41dc013945db67583cb91
                                                                                                                                                                                                                            • Instruction ID: bd257daf5de9dee36b7a7df8f8d7f9ef99228c3852669747f2885a7cf79806d7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 849bf8aa20e695c811e63e4f389fbd3f38ad5f5727a41dc013945db67583cb91
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9FF0F930A056229EEA52DB248C8899A7BD8EF463D07028224F968D7168DB30CDD18A51
                                                                                                                                                                                                                            Function 10001818 Relevance: 10.2, APIs: 8, Instructions: 231COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100018A4
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100018E0
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 10001916
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100019BE
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10001A02
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 10001A3C
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 10001AA3
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 10001AF7
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?), ref: 10001B76
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10002045
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3168844106-0
                                                                                                                                                                                                                            • Opcode ID: 1148cbf5bdb9481604341125c06b22783845d375c7f4a15b8700bf0034355e6e
                                                                                                                                                                                                                            • Instruction ID: 1c7db7b73577996e6f6b7cc1b13f752c77784736a4bb66c20c39e3569af504b5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1148cbf5bdb9481604341125c06b22783845d375c7f4a15b8700bf0034355e6e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3891D370A04384CFE710CF68C880B9AB7E6FF89384F45855DF8858B256D775E985CB62
                                                                                                                                                                                                                            Function 10017880 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,10018530,000000FF), ref: 100178C1
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?,?,?,?,?,?,?,?,?,?,?,?,10018530,000000FF), ref: 100178DD
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10017906
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2978645861-0
                                                                                                                                                                                                                            • Opcode ID: 4fadeff10b6c9a286b6e83259b0211dd6e584e032f721b146db71c1fbee9745d
                                                                                                                                                                                                                            • Instruction ID: 744bdcced945026e525a1d70fd2b130064bd5c13945d0ecf707bb38ae523f875
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4fadeff10b6c9a286b6e83259b0211dd6e584e032f721b146db71c1fbee9745d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9141BF766083488FD700CF68EC8175AB7E9FB48764F10862AFD598B391DB35EA448A91
                                                                                                                                                                                                                            Function 10013EE0 Relevance: 9.1, APIs: 6, Instructions: 93COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020168,?,?,?,?,10016A9A,?,?,?,76EBFFB0,00000000), ref: 10013EE9
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 10013F17
                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 10013F22
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 10013F69
                                                                                                                                                                                                                            • _memset.LIBCMT ref: 10013F7C
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 10013FA6
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$CountEnterTick_malloc_memset
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3854238366-0
                                                                                                                                                                                                                            • Opcode ID: ac07afc8388a069d4f83166ba5a0569cc62fde9cdb2ff454ac3c5f1d52a80147
                                                                                                                                                                                                                            • Instruction ID: 4ca0d7073e46e878efecada07f93c2f81ca96af553993ca0a0a66e884ec48b02
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ac07afc8388a069d4f83166ba5a0569cc62fde9cdb2ff454ac3c5f1d52a80147
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E23137B59003058FD745CF28DC80A867BF9FF49340B5182BAEC099F266EB31E955CB91
                                                                                                                                                                                                                            Function 10015EE0 Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 10015EEF
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10015F03
                                                                                                                                                                                                                            • __aullrem.LIBCMT ref: 10015F28
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?,?,00000000,00000000), ref: 10015F4E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter__aullrem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1392406986-0
                                                                                                                                                                                                                            • Opcode ID: 7ccb25e048fed005f5e0ad39f41a19acd61739f9bb35c0086ce996b125a16670
                                                                                                                                                                                                                            • Instruction ID: 962ddd3524da1f0e37931dc98e1f0c185814ed2e642f679040aa4322ebcbbac0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ccb25e048fed005f5e0ad39f41a19acd61739f9bb35c0086ce996b125a16670
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 03213835300214DFC300CB69EC889A9B7DADB84572B5942B9FE18CF292E732DD4087A0
                                                                                                                                                                                                                            Function 100148A0 Relevance: 9.1, APIs: 6, Instructions: 71COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C,?,?,00000001,?,10016ABE,?,?,-00000067,?,?,?,76EBFFB0,00000000), ref: 100148A9
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?,10016ABE,?,?,-00000067,?,?,?,76EBFFB0,00000000), ref: 100148BD
                                                                                                                                                                                                                            • _memset.LIBCMT ref: 100148E2
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,00220194,00000000,0000002C,00000000,0000002C,?,00000000), ref: 10014917
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014942
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter_memset
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 589867189-0
                                                                                                                                                                                                                            • Opcode ID: 8ebd72944f7a2a950c9ee27789203da092cdf93c9c74612e77d64f55a2891e3a
                                                                                                                                                                                                                            • Instruction ID: c706671d47631c6094ceacd85374c5c19a88f26d1054e66b0f3edaf9514eb2f3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8ebd72944f7a2a950c9ee27789203da092cdf93c9c74612e77d64f55a2891e3a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 971184752043119FE700DF64ECC5F5B77A9EF88765F218629F2199E1D2CB30D9498A60
                                                                                                                                                                                                                            Function 10015610 Relevance: 9.0, APIs: 6, Instructions: 42synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetEvent.KERNEL32(FFFFFFFF,?,?,?,100156AB), ref: 1001561F
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(FFFFFFFF,000000FF,?,?,?,100156AB), ref: 1001563F
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(FFFFFFFF,?,?,?,100156AB), ref: 1001564C
                                                                                                                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,100156AB), ref: 1001566D
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,100156AB), ref: 1001567C
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,100156AB), ref: 10015684
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseEventHandleObjectSingleWait
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2055531096-0
                                                                                                                                                                                                                            • Opcode ID: 2b52fc261705a2240190288487bb20031f43a560c2463843fdaa4baee3aae0d6
                                                                                                                                                                                                                            • Instruction ID: f07f506387550c76cd1d2b3446689fb9bb28019f0ffc834db263f1ad7541274e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b52fc261705a2240190288487bb20031f43a560c2463843fdaa4baee3aae0d6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F7014B719003A19BE710DB69CCC4A1973A9A749374BB0C708F1348B6F1CB34E8828F24
                                                                                                                                                                                                                            Function 10016427 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 211COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • QueryDosDeviceW.KERNEL32 ref: 1001646C
                                                                                                                                                                                                                            • GetDriveTypeW.KERNEL32(?,?,?,?,?,?), ref: 100165A1
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020484), ref: 10016726
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020484), ref: 10016742
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$DeviceDriveEnterLeaveQueryType
                                                                                                                                                                                                                            • String ID: :
                                                                                                                                                                                                                            • API String ID: 2472114325-336475711
                                                                                                                                                                                                                            • Opcode ID: 5d0bb1d3aef29e5e2cf54168e896612a3619c67b40a50f6bad3d4d47fe3ea62b
                                                                                                                                                                                                                            • Instruction ID: 266c0d949fe9e03b7784f1c108ca597e8a181d292a197a77467f75c32d12edc8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5d0bb1d3aef29e5e2cf54168e896612a3619c67b40a50f6bad3d4d47fe3ea62b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 829149B54083818BE720CB64CC95B9BB7E5FF88344F44891EE6C98B255DB71E688CB53
                                                                                                                                                                                                                            Function 10010975 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: __flsbuf$__flswbuf_wctomb_s
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3257920507-0
                                                                                                                                                                                                                            • Opcode ID: a75cccfa23d7aea3e5714c7e6dfbd81455f4b56c440ddb5dee57a86975d0e6af
                                                                                                                                                                                                                            • Instruction ID: aaf0d67127a989ff9fc8068fecdd25abf0f0f1beb550e9f4a5d15db8321f0729
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a75cccfa23d7aea3e5714c7e6dfbd81455f4b56c440ddb5dee57a86975d0e6af
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B351F43A3046559BD724CF2898829AE77A4EF063B4B60060AF4E59F2D2DBB4E9C1C751
                                                                                                                                                                                                                            Function 100172B0 Relevance: 7.7, APIs: 5, Instructions: 164COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32 ref: 10017308
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,00220198,?,00000004,?,?,1002030C,00000000), ref: 10017352
                                                                                                                                                                                                                              • Part of subcall function 10015070: EnterCriticalSection.KERNEL32 ref: 100150AF
                                                                                                                                                                                                                              • Part of subcall function 10015070: LeaveCriticalSection.KERNEL32(10020484,00000000,000000FF,00000000,000000FF,?,00000000), ref: 1001517C
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?), ref: 100174C8
                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000008), ref: 100174EB
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100174F6
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter$ControlDeviceErrorLast
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4103992608-0
                                                                                                                                                                                                                            • Opcode ID: 0c15b7dd3d47d1301ec5051b298948f62488c9d0a0b22cccd62178c255bc7e81
                                                                                                                                                                                                                            • Instruction ID: 069ed3d1de4671eec97c8a091bf5bc0cd7826cd6fef9fe84e4e00e0bd1a0d2d6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0c15b7dd3d47d1301ec5051b298948f62488c9d0a0b22cccd62178c255bc7e81
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B519B755183819FD320CB24C841B9BBBE8FF85750F408A1DF5998B291DB74E949CB93
                                                                                                                                                                                                                            Function 00403CA8 Relevance: 7.7, APIs: 5, Instructions: 158COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • getSystemCP.LIBCMT ref: 00403CC1
                                                                                                                                                                                                                              • Part of subcall function 00403C2E: _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00403C3B
                                                                                                                                                                                                                              • Part of subcall function 00403C2E: GetOEMCP.KERNEL32(00000000,?,00401DD5), ref: 00403C55
                                                                                                                                                                                                                            • setSBCS.LIBCMT ref: 00403CD3
                                                                                                                                                                                                                            • IsValidCodePage.KERNEL32(-00000030,00000000,?,00000000,00409560), ref: 00403D19
                                                                                                                                                                                                                            • GetCPInfo.KERNEL32(00000000,0040402B), ref: 00403D2C
                                                                                                                                                                                                                            • setSBUpLow.LIBCMT ref: 00403E17
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Locale$CodeInfoPageSystemUpdateUpdate::_Valid
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 364485666-0
                                                                                                                                                                                                                            • Opcode ID: f8562f73fbf6c12a93af662bf149bbf5becb5a351e9a22bc92b3aca215f4718f
                                                                                                                                                                                                                            • Instruction ID: 7ec157c4a63f4bee73c0373c95dbc61b6731b50ec73e293603ddc6fd57e301c6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f8562f73fbf6c12a93af662bf149bbf5becb5a351e9a22bc92b3aca215f4718f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8451E5719042549BDB15DF29C8806BABFA8EF05306F14817BD885BB2C2D63CDA46CBD9
                                                                                                                                                                                                                            Function 10016860 Relevance: 7.6, APIs: 5, Instructions: 111COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetTickCount.KERNEL32 ref: 10016897
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32 ref: 100168B8
                                                                                                                                                                                                                            • ?nf_tcpPostReceive@nfapi@@YA?AW4_NF_STATUS@@_KPBDH@Z.NFAPI(?,?,00000000,00000000), ref: 10016931
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10016948
                                                                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 100169C9
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$?nf_tcpCountEnterEventLeavePostReceive@nfapi@@S@@_Tick
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2201467506-0
                                                                                                                                                                                                                            • Opcode ID: 3b8d782bd27df50b16dfc65a62725b0131aeeeb5184073b4607cf5be4256a305
                                                                                                                                                                                                                            • Instruction ID: 742bec59b4eacf5a62cee880053408559a72dd2c9328244c4bf56ef4399b46ed
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b8d782bd27df50b16dfc65a62725b0131aeeeb5184073b4607cf5be4256a305
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E0418B709087819FE310CF24CC84A6ABBEAFB88754F50491DF8D68B651D735ED858B42
                                                                                                                                                                                                                            Function 10013D10 Relevance: 7.6, APIs: 5, Instructions: 90COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020168), ref: 10013D19
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 10013D47
                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 10013D52
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 10013D99
                                                                                                                                                                                                                            • _memset.LIBCMT ref: 10013DAC
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter_malloc_memset
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 923394041-0
                                                                                                                                                                                                                            • Opcode ID: d2436b13b8ff33d81ad853f571cd7b4f84e6fc360ee8814cc5edca94589bfc8a
                                                                                                                                                                                                                            • Instruction ID: 7167e3c78dd255bc3be61e05a3690e11657a4ad0a516055890c14454ff31153c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d2436b13b8ff33d81ad853f571cd7b4f84e6fc360ee8814cc5edca94589bfc8a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4319CB15013018FE749CF18ECC1A567BA5FF98304B2582AEE8099F366DB31E959CF90
                                                                                                                                                                                                                            Function 10014090 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 10014096
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100140AA
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,00000000,?,0000025B,00000000,00000000,?,00000000), ref: 10014137
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014147
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3744975357-0
                                                                                                                                                                                                                            • Opcode ID: c7db852ffef9afacecec687bb358ebba848a58d4b521bdcfc675cc6101f49ccd
                                                                                                                                                                                                                            • Instruction ID: 943a08fe69652d90c9d1f998fde71af210911f062dc05d4fd50d64c2a8c94902
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c7db852ffef9afacecec687bb358ebba848a58d4b521bdcfc675cc6101f49ccd
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BE110A76500210AFE705CB68DC89ADB33D9EF88760F118219F6128B1E1EF70DA84C690
                                                                                                                                                                                                                            Function 100162D0 Relevance: 7.6, APIs: 5, Instructions: 73COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 100162DF
                                                                                                                                                                                                                            • __aullrem.LIBCMT ref: 100162F8
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?,?,00000000,00000000), ref: 1001631E
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?,?,00000000,00000000), ref: 10016346
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10016378
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter__aullrem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1392406986-0
                                                                                                                                                                                                                            • Opcode ID: a12b99a6437fde0b1fddeed73491248cb1b45896119e412d513d9bd3dbe0284c
                                                                                                                                                                                                                            • Instruction ID: 8b44c5907cacb563da89275e12a7b823dc438703cb38c6685e6cf52fab2f5aee
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a12b99a6437fde0b1fddeed73491248cb1b45896119e412d513d9bd3dbe0284c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3115B313002059FD700CB69EC88DAEB3DEEF89561B5581A5FD08CF292E732ED5083A0
                                                                                                                                                                                                                            Function 10014970 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 1001497F
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014993
                                                                                                                                                                                                                            • __aullrem.LIBCMT ref: 100149B8
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?,?,00000000,00000000), ref: 100149DE
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter__aullrem
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1392406986-0
                                                                                                                                                                                                                            • Opcode ID: 2404607320ef2a75d0717d5302f9e8fa9c4f34ddd1540ab3d998488c8b00b57d
                                                                                                                                                                                                                            • Instruction ID: 4e2cb47ff58eaee26e2a48776ae77e93d28fc32bba7de68dc87d4d27a697fb70
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2404607320ef2a75d0717d5302f9e8fa9c4f34ddd1540ab3d998488c8b00b57d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 441104317002449FD310CB68EC88F9A77DAEF85671F524295FA588B2A2DB31DC848691
                                                                                                                                                                                                                            Function 100152E0 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 62COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 100152EF
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10015303
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10015321
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter
                                                                                                                                                                                                                            • String ID: B
                                                                                                                                                                                                                            • API String ID: 2978645861-1255198513
                                                                                                                                                                                                                            • Opcode ID: d389180647d33e7fd7909b68b13a63dafe69a50724e4bfe4741239f59ea6ff70
                                                                                                                                                                                                                            • Instruction ID: 5862e67234fadea20cb6fb71e4dcca28f21175ac499c2c8a774871cc376374ad
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d389180647d33e7fd7909b68b13a63dafe69a50724e4bfe4741239f59ea6ff70
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C711C2327002188BDB01CF69ECC4599B7A5FF443B1B54826AFE2CCF292DB71D94486D0
                                                                                                                                                                                                                            Function 100144A0 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 100144A8
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100144EC
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,002201B4,?,00000014,00000000,00000000,00000000,00000000), ref: 10014513
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014522
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014533
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3744975357-0
                                                                                                                                                                                                                            • Opcode ID: a308096551d9751a7049de7f445834c6eeaff320b8b2092d6412a4f98500842a
                                                                                                                                                                                                                            • Instruction ID: a46a0420c4f18f8497baad094036f26d02c65c78e58f58d61c697df38c55562f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a308096551d9751a7049de7f445834c6eeaff320b8b2092d6412a4f98500842a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C7113C746147019FE304DF28DC85B5677E6FF88B21F81C64CF9598B2A2D770D908CA92
                                                                                                                                                                                                                            Function 100146D0 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 100146D6
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100146EC
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,002201A4,?,00000010,?,00000004,?,00000000), ref: 1001471D
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014738
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3744975357-0
                                                                                                                                                                                                                            • Opcode ID: b6876661e5ff2c24c9972b30366f10f5fdaa2126c1ee03cc0ae946e3fb77ca8f
                                                                                                                                                                                                                            • Instruction ID: 2fba52e4ee8d058ba920c3b194ab9f094fa0f14e2d16636bf92fac5c4c939877
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b6876661e5ff2c24c9972b30366f10f5fdaa2126c1ee03cc0ae946e3fb77ca8f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7701D630715320AFE301CB24DC48BA633DAEF85B71F128609F6598B0E1CF70C984C6A1
                                                                                                                                                                                                                            Function 00404039 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __lock.LIBCMT ref: 00404057
                                                                                                                                                                                                                              • Part of subcall function 00402D12: __mtinitlocknum.LIBCMT ref: 00402D26
                                                                                                                                                                                                                              • Part of subcall function 00402D12: __amsg_exit.LIBCMT ref: 00402D32
                                                                                                                                                                                                                              • Part of subcall function 00402D12: EnterCriticalSection.KERNEL32(?,?,?,00405EA1,00000004,00409600,0000000C,0040411A,?,?,00000000,00000000,00000000,004024F8,00000001,00000214), ref: 00402D3A
                                                                                                                                                                                                                            • ___sbh_find_block.LIBCMT ref: 00404062
                                                                                                                                                                                                                            • ___sbh_free_block.LIBCMT ref: 00404071
                                                                                                                                                                                                                            • HeapFree.KERNEL32(00000000,?,00409580,0000000C,00402CF3,00000000,004094A0,0000000C,00402D2B,?,?,?,00405EA1,00000004,00409600,0000000C), ref: 004040A1
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00405EA1,00000004,00409600,0000000C,0040411A,?,?,00000000,00000000,00000000,004024F8,00000001,00000214), ref: 004040B2
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2714421763-0
                                                                                                                                                                                                                            • Opcode ID: c53e33b7dcff97c89c7848c55f26829c9334c78826d435bd8598ab40913ee6d4
                                                                                                                                                                                                                            • Instruction ID: bb3a9ea6063299376b196d4342a46263de040b943687fa37fdfcb015542456c3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c53e33b7dcff97c89c7848c55f26829c9334c78826d435bd8598ab40913ee6d4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 540184B2941301AADB207BB29E0AB5E37649F80324F10423FF7047A2D2CB7C89449A9C
                                                                                                                                                                                                                            Function 10001210 Relevance: 7.5, APIs: 5, Instructions: 44synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 10001340: EnterCriticalSection.KERNEL32(?,?,?,?,100156AB), ref: 10001378
                                                                                                                                                                                                                              • Part of subcall function 10001340: LeaveCriticalSection.KERNEL32(10020350,?,?,?,?,?,?,?,100156AB), ref: 100013BF
                                                                                                                                                                                                                            • SetEvent.KERNEL32(?,9D13258C,?,?,?,1001885B,000000FF), ref: 1000124D
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,1001885B,000000FF), ref: 10001266
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,1001885B,000000FF), ref: 10001273
                                                                                                                                                                                                                            • DeleteCriticalSection.KERNEL32(10020350,?,?,?,1001885B,000000FF), ref: 10001284
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,1001885B,000000FF), ref: 10001295
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$CloseHandle$DeleteEnterEventLeaveObjectSingleWait
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2474944948-0
                                                                                                                                                                                                                            • Opcode ID: 1e9d32bd37262b913d57dc8945bf0fb53b1a93de7becb73826e872e3e5311905
                                                                                                                                                                                                                            • Instruction ID: 64c5f76c38a82e9d846c98533c0514a9f92b4564d6453463f8853accf3b8306c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e9d32bd37262b913d57dc8945bf0fb53b1a93de7becb73826e872e3e5311905
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2015B71504760DFE750DF28CC88A4A77A9EB48730F608B09F439D76E1D734AA418B61
                                                                                                                                                                                                                            Function 10007B2F Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __lock.LIBCMT ref: 10007B4D
                                                                                                                                                                                                                              • Part of subcall function 10009513: __mtinitlocknum.LIBCMT ref: 10009527
                                                                                                                                                                                                                              • Part of subcall function 10009513: __amsg_exit.LIBCMT ref: 10009533
                                                                                                                                                                                                                              • Part of subcall function 10009513: EnterCriticalSection.KERNEL32(?,?,?,1000F77D,00000004,1001B950,0000000C,1000B1A8,?,?,00000000,00000000,00000000,1000AB20,00000001,00000214), ref: 1000953B
                                                                                                                                                                                                                            • ___sbh_find_block.LIBCMT ref: 10007B58
                                                                                                                                                                                                                            • ___sbh_free_block.LIBCMT ref: 10007B67
                                                                                                                                                                                                                            • HeapFree.KERNEL32(00000000,00000001,1001B588,0000000C,100094F4,00000000,1001B628,0000000C,1000952C,00000001,?,?,1000F77D,00000004,1001B950,0000000C), ref: 10007B97
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,1000F77D,00000004,1001B950,0000000C,1000B1A8,?,?,00000000,00000000,00000000,1000AB20,00000001,00000214), ref: 10007BA8
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2714421763-0
                                                                                                                                                                                                                            • Opcode ID: a001902257452df3a09ef7874541bacfe911b9a4d4b91542b9a5e470de5e31ec
                                                                                                                                                                                                                            • Instruction ID: 4bde7f342c64e4d2018f3ae2fc3c74ed1e6debbda6c59ac2aa0521a4ba985f47
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a001902257452df3a09ef7874541bacfe911b9a4d4b91542b9a5e470de5e31ec
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8501D639C00715AAFB21DBB18C09B5E36A4FF003E1F204209F518A6098CF3CEA40CB65
                                                                                                                                                                                                                            Function 10014420 Relevance: 7.5, APIs: 5, Instructions: 41COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 10014426
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 1001443C
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,002201B8,?,00000004,?,00000010,?,00000000), ref: 1001446F
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014484
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3744975357-0
                                                                                                                                                                                                                            • Opcode ID: d5d1587f7f7b2bd1b6f3903fe53ac465cdd8ad77325049dbc3963d326160d6bd
                                                                                                                                                                                                                            • Instruction ID: a8c769179fd60e2bf6cd89700ffbf8ba4d12cccd7724cdc3fecdfc68b2935979
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d5d1587f7f7b2bd1b6f3903fe53ac465cdd8ad77325049dbc3963d326160d6bd
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 58F03C74214311AFE314DBA49D84B6633DAEF88B61F628608F666C94E1DB70C884DA62
                                                                                                                                                                                                                            Function 10014540 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 10014548
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014575
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,002201B0,?,0000000C,00000000,00000000,00000000,00000000), ref: 1001459C
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100145AB
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3744975357-0
                                                                                                                                                                                                                            • Opcode ID: cf9b4901ff1e343b7e26287a133ebef74e919893ac441ab88bcd06e640e03855
                                                                                                                                                                                                                            • Instruction ID: 0eff3ab3fb06489d6740a8c9915ab30779d44775857bedc5cb99c14d77079b55
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cf9b4901ff1e343b7e26287a133ebef74e919893ac441ab88bcd06e640e03855
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73016774514311AFE301DF28CD45B5A77E5EF98B10F918A08F964862E2E774D5048A52
                                                                                                                                                                                                                            Function 100145D0 Relevance: 7.5, APIs: 5, Instructions: 39COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 100145D8
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014605
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,002201AC,?,0000000C,00000000,00000000,00000000,00000000), ref: 1001462C
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 1001463B
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3744975357-0
                                                                                                                                                                                                                            • Opcode ID: 6e4f1e0d7d0e21a89da46d87f902386311073b00f14cfb2b082e5294dee19481
                                                                                                                                                                                                                            • Instruction ID: 42d7f987a94a52d01ef36b35c772b808b674778ff1b5ba1bc601a11ad0b11856
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6e4f1e0d7d0e21a89da46d87f902386311073b00f14cfb2b082e5294dee19481
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A016274A14311AFF300DF28CD85B5A77E5EF98B10F918A08F968862E2E774D5088A92
                                                                                                                                                                                                                            Function 100038F0 Relevance: 7.5, APIs: 5, Instructions: 34synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020458,0000000A,?,00000000,1001783B), ref: 100038FE
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020458), ref: 1000392C
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 1000393A
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020458), ref: 10003941
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020458), ref: 10003963
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave$ObjectSingleWait
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1755037574-0
                                                                                                                                                                                                                            • Opcode ID: 3bb25a39c071496a06b616590bfd4f65b77da877f5bd338bfbeae23c9fbe291f
                                                                                                                                                                                                                            • Instruction ID: 4c8c2d80ac1b079380655c5ec4cbb732bc282f0004f1aa78e3f82d5ff21842fc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3bb25a39c071496a06b616590bfd4f65b77da877f5bd338bfbeae23c9fbe291f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8FF090B1B402655FF704FB98ECD0CA533EAEBCC354760C019FB0593613CA7068069B61
                                                                                                                                                                                                                            Function 10002E70 Relevance: 7.5, APIs: 5, Instructions: 34synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(100203D8,0000000A,?,00000000,10017836), ref: 10002E7E
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(100203D8), ref: 10002EAC
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,00002710), ref: 10002EBA
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(100203D8), ref: 10002EC1
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(100203D8), ref: 10002EE3
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave$ObjectSingleWait
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1755037574-0
                                                                                                                                                                                                                            • Opcode ID: 1c097af206b97876061b063052c6263d78874f6a138238f18bb0d2092e23d612
                                                                                                                                                                                                                            • Instruction ID: e43171a4669c4619fb34f8ae264f673014ca4388743921c5762645a7f44c2943
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c097af206b97876061b063052c6263d78874f6a138238f18bb0d2092e23d612
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66F03A757103249FF304D7A8DCD0CA973AEEBC8794764405AF741A3226C7B4BA428B61
                                                                                                                                                                                                                            Function 10014660 Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 10014666
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 1001467B
                                                                                                                                                                                                                            • DeviceIoControl.KERNEL32(FFFFFFFF,002201A8,?,00000004,00000000,00000000,?,00000000), ref: 100146A0
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100146AF
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$ControlDeviceEnter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3744975357-0
                                                                                                                                                                                                                            • Opcode ID: 1ae83451541ad7b1658e7e77a32fbb5fc71b43354f710eefe43c36ccfaec8dcc
                                                                                                                                                                                                                            • Instruction ID: 3db9b80ac07a141cc6bafe2479cacd36b1aa32743546a89e3ddafa96da967a27
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1ae83451541ad7b1658e7e77a32fbb5fc71b43354f710eefe43c36ccfaec8dcc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84F08270251310AFF201C7749C89F553399DF48B22F628708F326C90E1DF70D4049A51
                                                                                                                                                                                                                            Function 100131B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __snprintf.LIBCMT ref: 100131DB
                                                                                                                                                                                                                            • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,00000001), ref: 100131F5
                                                                                                                                                                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 1001321A
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • SYSTEM\CurrentControlSet\Services\%s, xrefs: 100131CC
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseOpen__snprintf
                                                                                                                                                                                                                            • String ID: SYSTEM\CurrentControlSet\Services\%s
                                                                                                                                                                                                                            • API String ID: 2649323954-2757632955
                                                                                                                                                                                                                            • Opcode ID: 84ec4fc234ded0ec1746a26bb0a01dea6608cb65e603b7f2fafd6f762602d5c4
                                                                                                                                                                                                                            • Instruction ID: 0e6c5bb0a140b4fe4a8a9fd12908ebb5e2cd1ecdda7a5af6ef08cdde4ffb9b5c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84ec4fc234ded0ec1746a26bb0a01dea6608cb65e603b7f2fafd6f762602d5c4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 37F0E6B5A143005BF764DB54C856FEA73E5EB99700F80480CF5D986181DAB59584CA52
                                                                                                                                                                                                                            Function 100189E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,QueryFullProcessImageNameW), ref: 100189EA
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 100189F1
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                            • String ID: QueryFullProcessImageNameW$kernel32
                                                                                                                                                                                                                            • API String ID: 1646373207-4169370628
                                                                                                                                                                                                                            • Opcode ID: 80ead79f867b9c70acc418535677702e5c57cb3ae286bb14f1603a2e4be25d81
                                                                                                                                                                                                                            • Instruction ID: d4b750a60ec6c6cb5d585284b623d2f8c151284af6f3ea71f4c867148f187fbc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 80ead79f867b9c70acc418535677702e5c57cb3ae286bb14f1603a2e4be25d81
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7BB092B8400320AFEB01DBE08C8C8953AEEE74E2027008400F60585120CB30C1E0CF15
                                                                                                                                                                                                                            Function 10018A00 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(kernel32,QueryFullProcessImageNameA), ref: 10018A0A
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 10018A11
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                            • String ID: QueryFullProcessImageNameA$kernel32
                                                                                                                                                                                                                            • API String ID: 1646373207-3526589867
                                                                                                                                                                                                                            • Opcode ID: bfb67a8b5cc4ef26928f28fcb801f94734c3672f5e5d78a8aa3062b54429a572
                                                                                                                                                                                                                            • Instruction ID: 98f50a63cd48d57722deb6357d66e02bf387ff61662be34999bf1d136a449764
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bfb67a8b5cc4ef26928f28fcb801f94734c3672f5e5d78a8aa3062b54429a572
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FAB092F14013209FE702ABB08C8C8853AE9EB1A202B108100FB0186121CB38C0D18A12
                                                                                                                                                                                                                            Function 10018A50 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtQuerySymbolicLinkObject), ref: 10018A5A
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 10018A61
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                            • String ID: NtQuerySymbolicLinkObject$ntdll
                                                                                                                                                                                                                            • API String ID: 1646373207-3146753317
                                                                                                                                                                                                                            • Opcode ID: 61b53181ddc3a0468bf9acf94f72e8e6d06d1798f52acba3e2d3b8d08e6a28da
                                                                                                                                                                                                                            • Instruction ID: b543b7ade083403f1789f1f0de2ce02b86dca8d31286e88a7640a01fa307330f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 61b53181ddc3a0468bf9acf94f72e8e6d06d1798f52acba3e2d3b8d08e6a28da
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B4B092F0400320AFE701EBA18C8C8863AEAE70A2223008010F70585125CB34C1D48F11
                                                                                                                                                                                                                            Function 10018A70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetModuleHandleA.KERNEL32(ntdll,NtOpenSymbolicLinkObject), ref: 10018A7A
                                                                                                                                                                                                                            • GetProcAddress.KERNEL32(00000000), ref: 10018A81
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: AddressHandleModuleProc
                                                                                                                                                                                                                            • String ID: NtOpenSymbolicLinkObject$ntdll
                                                                                                                                                                                                                            • API String ID: 1646373207-699678798
                                                                                                                                                                                                                            • Opcode ID: fdd8a5cfbd6b08d661b471b0597a721e8dc6ba82253e6c59f24492ff2366b510
                                                                                                                                                                                                                            • Instruction ID: ebc436c54efd9b5b1c1cf879c4817285fbe182f6251ddbece40f41faf484d1d2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fdd8a5cfbd6b08d661b471b0597a721e8dc6ba82253e6c59f24492ff2366b510
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07B092F14403219FE702EBA08D8C8863AEAE70E2037008015F70185122CB34C0D1CA11
                                                                                                                                                                                                                            Function 10015C80 Relevance: 6.4, APIs: 5, Instructions: 190COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 10015CBC
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 10015CD8
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10015D3B
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2978645861-0
                                                                                                                                                                                                                            • Opcode ID: 31d074460ceac946c0d193caf96497102455dab9f53a976f00f18180bc0b4a95
                                                                                                                                                                                                                            • Instruction ID: 6b063e24d70fe8b42fc37b21e784bd8b66a1ec8045d673d45357853a068beb0b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31d074460ceac946c0d193caf96497102455dab9f53a976f00f18180bc0b4a95
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B861AA76905700CFC314CF28D980A5AB7F6FB88661F548A2DF9598B341D736EA44CBA2
                                                                                                                                                                                                                            Function 10015400 Relevance: 6.3, APIs: 5, Instructions: 92COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 1001540F
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10015423
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 1001546A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2978645861-0
                                                                                                                                                                                                                            • Opcode ID: f884fb650ff68b9350361ec3a5e3420faf4578eaab12f6148c9d3cfc54674c03
                                                                                                                                                                                                                            • Instruction ID: 3b9cdc21f64611186a4f192bef5eff766ae51078ef50db3d8a9c348abcb55b80
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f884fb650ff68b9350361ec3a5e3420faf4578eaab12f6148c9d3cfc54674c03
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2531D1756007149BC710CF2DEC8499A77E5EF88336F10432AF95D8B691D731E9848BD0
                                                                                                                                                                                                                            Function 10017D00 Relevance: 6.3, APIs: 5, Instructions: 66COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020168,00000010,00000000,10015376), ref: 10017D12
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 10017D7B
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 10017DAE
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 10017DC5
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168), ref: 10017DCE
                                                                                                                                                                                                                              • Part of subcall function 10007B2F: __lock.LIBCMT ref: 10007B4D
                                                                                                                                                                                                                              • Part of subcall function 10007B2F: ___sbh_find_block.LIBCMT ref: 10007B58
                                                                                                                                                                                                                              • Part of subcall function 10007B2F: ___sbh_free_block.LIBCMT ref: 10007B67
                                                                                                                                                                                                                              • Part of subcall function 10007B2F: HeapFree.KERNEL32(00000000,00000001,1001B588,0000000C,100094F4,00000000,1001B628,0000000C,1000952C,00000001,?,?,1000F77D,00000004,1001B950,0000000C), ref: 10007B97
                                                                                                                                                                                                                              • Part of subcall function 10007B2F: GetLastError.KERNEL32(?,1000F77D,00000004,1001B950,0000000C,1000B1A8,?,?,00000000,00000000,00000000,1000AB20,00000001,00000214), ref: 10007BA8
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$EnterErrorFreeHeapLast___sbh_find_block___sbh_free_block__lock
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2683178029-0
                                                                                                                                                                                                                            • Opcode ID: 745b44e389e3eb57d002cadd99901bb83912b5949676a4bdb36c585caf9445f7
                                                                                                                                                                                                                            • Instruction ID: b4225b4be6f6f7a218a50a7cc17e3f5341257b43a51e5c7c058e521d2863d70b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 745b44e389e3eb57d002cadd99901bb83912b5949676a4bdb36c585caf9445f7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C5219D765003158FD755CF14ED45AAA77B1FF9431570244BEF909CB222DB36D492CB81
                                                                                                                                                                                                                            Function 100142C0 Relevance: 6.3, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 100142CD
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100142E1
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100142FE
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2978645861-0
                                                                                                                                                                                                                            • Opcode ID: 91475d05e9af95ed88a2ca98d537037db2de0cf6f2e51c315e4e122b3160fcb0
                                                                                                                                                                                                                            • Instruction ID: 0688acbf623d954f04115705206b7a5878359c5d24a5a52100af0231af46e52b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 91475d05e9af95ed88a2ca98d537037db2de0cf6f2e51c315e4e122b3160fcb0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F411A0356102159FC700CF2DEC4489577AAEF89231712835AFD2C877A1EB31E8508AD0
                                                                                                                                                                                                                            Function 10014370 Relevance: 6.3, APIs: 5, Instructions: 60COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 1001437D
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014391
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 100143AE
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2978645861-0
                                                                                                                                                                                                                            • Opcode ID: af989e02686470c58158b9f9546e3ca7512020e02bc5ed8235ce539b5489efd8
                                                                                                                                                                                                                            • Instruction ID: 4d93d7c43a49986c58b60d74623ea931e304e01d20275fc7b50258dea019b724
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: af989e02686470c58158b9f9546e3ca7512020e02bc5ed8235ce539b5489efd8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F11A0396102149FC700CF6DEC4489977A9EF88231711835AFD2CC77A1EB31E9118AD1
                                                                                                                                                                                                                            Function 10014800 Relevance: 6.3, APIs: 5, Instructions: 57COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 1001480D
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014821
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 1001483E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2978645861-0
                                                                                                                                                                                                                            • Opcode ID: 5b0c05bd3bb3b5db66ab5481f23a3e4c1540d4302acacb0ddc367f69b30fcab4
                                                                                                                                                                                                                            • Instruction ID: 77183064e41a1e9205efc12c9dcf8d440c153a8ee4ed2ed3b95b76763cc59ffb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5b0c05bd3bb3b5db66ab5481f23a3e4c1540d4302acacb0ddc367f69b30fcab4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8401B5366102149FD701DF7CAC04899379AEB89632B114366FE2C872E1DF31D95586D1
                                                                                                                                                                                                                            Function 10014760 Relevance: 6.3, APIs: 5, Instructions: 56COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(1002030C), ref: 1001476D
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 10014781
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(1002030C), ref: 1001479E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$Leave$Enter
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2978645861-0
                                                                                                                                                                                                                            • Opcode ID: 315757dbfcfbb32eb6690a5904ae741756b3478989afcffcdb4784ba547c2fca
                                                                                                                                                                                                                            • Instruction ID: c8b4f41cc937fb26e74b5d9e0f7055d815144c6c2631823094905784c4cc0ea4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 315757dbfcfbb32eb6690a5904ae741756b3478989afcffcdb4784ba547c2fca
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0D01F5366242148FD700DB7CAC44499339AEF89231B124356FE3C872E1DF31D91186D1
                                                                                                                                                                                                                            Function 10010B53 Relevance: 6.1, APIs: 4, Instructions: 101COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 10010B83
                                                                                                                                                                                                                            • __isleadbyte_l.LIBCMT ref: 10010BB7
                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,FF000002,?,00000000,?,?,?,1000FF83,?,?,00000001), ref: 10010BE8
                                                                                                                                                                                                                            • MultiByteToWideChar.KERNEL32(840FFFF8,00000009,?,00000001,?,00000000,?,?,?,1000FF83,?,?,00000001), ref: 10010C56
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3058430110-0
                                                                                                                                                                                                                            • Opcode ID: d976dae8849e1df09a0b0c0d7ef9455a66fad74b5674ac6a6004c55bf6a0fbc5
                                                                                                                                                                                                                            • Instruction ID: a1dc6150c0cefba4fc0e341efb8d7f9e4622e53aa43daf027c921bb7a998826d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d976dae8849e1df09a0b0c0d7ef9455a66fad74b5674ac6a6004c55bf6a0fbc5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0319D31B08246EFDB10DFA4C8849AA7BE5FF00255F1586A9F4A08F1A1D3B0D9C0DB51
                                                                                                                                                                                                                            Function 100014C0 Relevance: 6.1, APIs: 4, Instructions: 75synchronizationCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetEvent.KERNEL32(?,0000000A,759230B0,00000000,?,76EBFFB0,10017857), ref: 100014D0
                                                                                                                                                                                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,76EBFFB0,10017857), ref: 1000150F
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,000000FF,?,76EBFFB0,10017857), ref: 10001522
                                                                                                                                                                                                                            • _memmove_s.LIBCMT ref: 10001573
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseEventHandleObjectSingleWait_memmove_s
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3037655736-0
                                                                                                                                                                                                                            • Opcode ID: a16a9262e8a1ed26482d417ee0d5e11f3f8b9f0b5b5de5088259525e283d6dc5
                                                                                                                                                                                                                            • Instruction ID: c65eb985cd46562ea4b9b3fa780de754e17b39af8a735433f2001fa7709411ec
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a16a9262e8a1ed26482d417ee0d5e11f3f8b9f0b5b5de5088259525e283d6dc5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D217171904A028FB730EB59C88545EB3E6FBC4691711851DE5AB47559DB30FE808BA1
                                                                                                                                                                                                                            Function 10007E33 Relevance: 6.1, APIs: 4, Instructions: 70threadCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __calloc_crt.LIBCMT ref: 10007E6E
                                                                                                                                                                                                                            • CreateThread.KERNEL32(?,?,10007DB3,00000000,?,?), ref: 10007EB2
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,00003001,?,?,10017A59,00000000,00000000,10017590,00000000,00000000,?,?,10017CBE), ref: 10007EBC
                                                                                                                                                                                                                            • __dosmaperr.LIBCMT ref: 10007ED4
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateErrorLastThread__calloc_crt__dosmaperr
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 84609068-0
                                                                                                                                                                                                                            • Opcode ID: 96a702f07e20c8fc08ba84a89f2686319f8a34372d6dff5ac5e6610c97b7c4f9
                                                                                                                                                                                                                            • Instruction ID: 960ca24b8c0fd74316a4ffc7f982722606d32842def4c8c8f75851161ce74b88
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 96a702f07e20c8fc08ba84a89f2686319f8a34372d6dff5ac5e6610c97b7c4f9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B113636902249BFFB01EFA4DC8288E77E5FF083E0B214569F509A3095DB34AE018B60
                                                                                                                                                                                                                            Function 10002B30 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • DeleteCriticalSection.KERNEL32(100203D8,9D13258C,?,?,?,?,1001875C,000000FF), ref: 10002B72
                                                                                                                                                                                                                              • Part of subcall function 100014C0: SetEvent.KERNEL32(?,0000000A,759230B0,00000000,?,76EBFFB0,10017857), ref: 100014D0
                                                                                                                                                                                                                              • Part of subcall function 100014C0: WaitForSingleObject.KERNEL32(?,000000FF,?,76EBFFB0,10017857), ref: 1000150F
                                                                                                                                                                                                                              • Part of subcall function 100014C0: CloseHandle.KERNEL32(?,?,000000FF,?,76EBFFB0,10017857), ref: 10001522
                                                                                                                                                                                                                              • Part of subcall function 100014C0: _memmove_s.LIBCMT ref: 10001573
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,1001875C,000000FF), ref: 10002B93
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,1001875C,000000FF), ref: 10002BAA
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,1001875C,000000FF), ref: 10002BE7
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseHandle$CriticalDeleteEventObjectSectionSingleWait_memmove_s
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3715746028-0
                                                                                                                                                                                                                            • Opcode ID: 76179a229a830d2f9d329135d3ac3756b66c2c4d1d0f11458de3c9b5cfab1ecf
                                                                                                                                                                                                                            • Instruction ID: cfe803f662d768d14c2dfa4e60897070c9f65bc5c6aa7f7d02d73ff30c3c2152
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 76179a229a830d2f9d329135d3ac3756b66c2c4d1d0f11458de3c9b5cfab1ecf
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80217CB05043A18FF300DF688C8560A7BDEFB042B4FA04B19F465D72E7C779AA058B91
                                                                                                                                                                                                                            Function 100035B0 Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • DeleteCriticalSection.KERNEL32(10020458,9D13258C,?,?,?,?,1001875C,000000FF), ref: 100035F2
                                                                                                                                                                                                                              • Part of subcall function 100014C0: SetEvent.KERNEL32(?,0000000A,759230B0,00000000,?,76EBFFB0,10017857), ref: 100014D0
                                                                                                                                                                                                                              • Part of subcall function 100014C0: WaitForSingleObject.KERNEL32(?,000000FF,?,76EBFFB0,10017857), ref: 1000150F
                                                                                                                                                                                                                              • Part of subcall function 100014C0: CloseHandle.KERNEL32(?,?,000000FF,?,76EBFFB0,10017857), ref: 10001522
                                                                                                                                                                                                                              • Part of subcall function 100014C0: _memmove_s.LIBCMT ref: 10001573
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,1001875C,000000FF), ref: 10003613
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,1001875C,000000FF), ref: 1000362A
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(?,?,?,?,?,1001875C,000000FF), ref: 10003667
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseHandle$CriticalDeleteEventObjectSectionSingleWait_memmove_s
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3715746028-0
                                                                                                                                                                                                                            • Opcode ID: 63cec45596fa0ece01aef7757e97c95d257c6fcde774a1e3c521d25e9a1047f9
                                                                                                                                                                                                                            • Instruction ID: e4b86ddf39c1be931d4e7214d39989b71f3d296ab9120b50707eace9ea249c52
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 63cec45596fa0ece01aef7757e97c95d257c6fcde774a1e3c521d25e9a1047f9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9621A1F49043919FE310EF6C8C8860A7BDAF704274FE08719F565872E7C739A9058BA2
                                                                                                                                                                                                                            Function 10003340 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,10018648,000000FF), ref: 1000337E
                                                                                                                                                                                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,10018648,000000FF), ref: 100033BD
                                                                                                                                                                                                                            • SetEvent.KERNEL32(?), ref: 100033CF
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(?), ref: 100033D2
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalEventSection$EnterLeave
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2034477713-0
                                                                                                                                                                                                                            • Opcode ID: 26d7926c99e25f810d7718daa53f3b713310baac375bc8a9718a81a7c18c5246
                                                                                                                                                                                                                            • Instruction ID: e5964f4e11a61a5ceb4984cd574a80e3950d02b8ad30e80ede868aa41323114b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26d7926c99e25f810d7718daa53f3b713310baac375bc8a9718a81a7c18c5246
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5119D71504B44DFD321CF25C884B5BB7E8FB48260F008A2AE49A83A90DB79FA44CB91
                                                                                                                                                                                                                            Function 10017DE0 Relevance: 6.1, APIs: 4, Instructions: 58COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • EnterCriticalSection.KERNEL32(10020168,?,?,1001533B), ref: 10017DFF
                                                                                                                                                                                                                            • LeaveCriticalSection.KERNEL32(10020168,?,1001533B), ref: 10017E29
                                                                                                                                                                                                                            • _malloc.LIBCMT ref: 10017E33
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CriticalSection$EnterLeave_malloc
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4242827099-0
                                                                                                                                                                                                                            • Opcode ID: d9080a10b4345808967dd27d92c9b69f056f69c068306372603454a2a88374c5
                                                                                                                                                                                                                            • Instruction ID: 61feaa6bcb75b8102a09506a810e75e671a35ffd5e85a93e1235847fc3054c73
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d9080a10b4345808967dd27d92c9b69f056f69c068306372603454a2a88374c5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66118276A002138BD755CB2CFD4199673F6FFD42A035582BEE80DCB225EA31DC918B80
                                                                                                                                                                                                                            Function 00403B8A Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 00402546: __amsg_exit.LIBCMT ref: 00402554
                                                                                                                                                                                                                            • __amsg_exit.LIBCMT ref: 00403BB6
                                                                                                                                                                                                                            • __lock.LIBCMT ref: 00403BC6
                                                                                                                                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 00403BE3
                                                                                                                                                                                                                            • InterlockedIncrement.KERNEL32(024116C0), ref: 00403C0E
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4129207761-0
                                                                                                                                                                                                                            • Opcode ID: 52a3e7971e82fb72f830ee4ccc85c939e43fcece51e1a5e76106840384332467
                                                                                                                                                                                                                            • Instruction ID: 4c552d2baa94243f91659daba1be32444af7e91f1612fcd78746f7470628c05b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 52a3e7971e82fb72f830ee4ccc85c939e43fcece51e1a5e76106840384332467
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B01A532900721ABD711BF269906B5ABF74AB00759F14403BE800772D2CB7CAE81DB9E
                                                                                                                                                                                                                            Function 1000F24D Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 1000AB6E: __amsg_exit.LIBCMT ref: 1000AB7C
                                                                                                                                                                                                                            • __amsg_exit.LIBCMT ref: 1000F279
                                                                                                                                                                                                                            • __lock.LIBCMT ref: 1000F289
                                                                                                                                                                                                                            • InterlockedDecrement.KERNEL32(?), ref: 1000F2A6
                                                                                                                                                                                                                            • InterlockedIncrement.KERNEL32(00A716B8), ref: 1000F2D1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Interlocked__amsg_exit$DecrementIncrement__lock
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 4129207761-0
                                                                                                                                                                                                                            • Opcode ID: 688ec18e88f5c39b8294586d72f857720aa36dea6ca6f4b7078c97f8e49bdce4
                                                                                                                                                                                                                            • Instruction ID: fffc615c0fb4f66862dac9a19bb85b947d9e820b5dc1b207d8f39025125812c1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 688ec18e88f5c39b8294586d72f857720aa36dea6ca6f4b7078c97f8e49bdce4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AE01923AD01762ABFB11DB64884576DB3A0FF057E0F118109F80067A89CB38BD81EBD5
                                                                                                                                                                                                                            Function 004024CF Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetLastError.KERNEL32(?,?,0040199A), ref: 004024D1
                                                                                                                                                                                                                              • Part of subcall function 004023A1: TlsGetValue.KERNEL32(?,004024E4,?,?,0040199A), ref: 004023A8
                                                                                                                                                                                                                              • Part of subcall function 004023A1: TlsSetValue.KERNEL32(00000000,004024E4,?,?,0040199A), ref: 004023C9
                                                                                                                                                                                                                            • __calloc_crt.LIBCMT ref: 004024F3
                                                                                                                                                                                                                              • Part of subcall function 00404107: __calloc_impl.LIBCMT ref: 00404115
                                                                                                                                                                                                                              • Part of subcall function 00404107: Sleep.KERNEL32(00000000), ref: 0040412C
                                                                                                                                                                                                                              • Part of subcall function 0040232A: TlsGetValue.KERNEL32(00000000,004023BF,?,004024E4,?,?,0040199A), ref: 00402337
                                                                                                                                                                                                                              • Part of subcall function 0040232A: TlsGetValue.KERNEL32(00000006,?,004024E4,?,?,0040199A), ref: 0040234E
                                                                                                                                                                                                                              • Part of subcall function 00402410: GetModuleHandleA.KERNEL32(KERNEL32.DLL,00409438,0000000C,00402521,00000000,00000000,?,?,0040199A), ref: 00402421
                                                                                                                                                                                                                              • Part of subcall function 00402410: GetProcAddress.KERNEL32(?,EncodePointer), ref: 00402455
                                                                                                                                                                                                                              • Part of subcall function 00402410: GetProcAddress.KERNEL32(?,DecodePointer), ref: 00402465
                                                                                                                                                                                                                              • Part of subcall function 00402410: InterlockedIncrement.KERNEL32(0040A460), ref: 00402487
                                                                                                                                                                                                                              • Part of subcall function 00402410: __lock.LIBCMT ref: 0040248F
                                                                                                                                                                                                                              • Part of subcall function 00402410: ___addlocaleref.LIBCMT ref: 004024AE
                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 00402523
                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,0040199A), ref: 0040253B
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547310419.0000000000401000.00000020.00000001.01000000.00000009.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547277066.0000000000400000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547353674.0000000000408000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547379256.000000000040A000.00000004.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547402865.000000000040C000.00000002.00000001.01000000.00000009.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_400000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1081334783-0
                                                                                                                                                                                                                            • Opcode ID: 5ab9714a243f0ffc41694fcd0ac968f58e359ad798ea549c5e95678d0f806d4d
                                                                                                                                                                                                                            • Instruction ID: 6e150c00b90b0de194aaa4e6d30466842cabbf0b81775d3192f362ebb9054922
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5ab9714a243f0ffc41694fcd0ac968f58e359ad798ea549c5e95678d0f806d4d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3F0F432000621AAC63227757E0D64B2B50AF50775B21413EF985B61E1CEB88940869D
                                                                                                                                                                                                                            Function 1000AAF7 Relevance: 6.0, APIs: 4, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • GetLastError.KERNEL32(00000001,00000000,10009235,1000A326,00000001,1000A856,00000000,00000000,00000001,?,?,?,1000A968,?,1000ACF2,00000000), ref: 1000AAF9
                                                                                                                                                                                                                              • Part of subcall function 1000A9B0: TlsGetValue.KERNEL32(00000000,1000AB0C,?,?,?,1000A968,?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001), ref: 1000A9B7
                                                                                                                                                                                                                              • Part of subcall function 1000A9B0: TlsSetValue.KERNEL32(00000000,?,?,1000A968,?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001,?,?,10008C27), ref: 1000A9D8
                                                                                                                                                                                                                            • __calloc_crt.LIBCMT ref: 1000AB1B
                                                                                                                                                                                                                              • Part of subcall function 1000B195: __calloc_impl.LIBCMT ref: 1000B1A3
                                                                                                                                                                                                                              • Part of subcall function 1000B195: Sleep.KERNEL32(00000000), ref: 1000B1BA
                                                                                                                                                                                                                              • Part of subcall function 1000A91E: TlsGetValue.KERNEL32(?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001,?,?,10008C27,00000001,?,?,1001B608), ref: 1000A92B
                                                                                                                                                                                                                              • Part of subcall function 1000A91E: TlsGetValue.KERNEL32(00000002,?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001,?,?,10008C27,00000001), ref: 1000A942
                                                                                                                                                                                                                              • Part of subcall function 1000AA38: GetModuleHandleA.KERNEL32(KERNEL32.DLL,1001B668,0000000C,1000AB49,00000000,00000000,?,?,?,1000A968,?,1000ACF2,00000000,00000000,10008BC3,00000000), ref: 1000AA49
                                                                                                                                                                                                                              • Part of subcall function 1000AA38: GetProcAddress.KERNEL32(?,EncodePointer), ref: 1000AA7D
                                                                                                                                                                                                                              • Part of subcall function 1000AA38: GetProcAddress.KERNEL32(?,DecodePointer), ref: 1000AA8D
                                                                                                                                                                                                                              • Part of subcall function 1000AA38: InterlockedIncrement.KERNEL32(1001E5E0), ref: 1000AAAF
                                                                                                                                                                                                                              • Part of subcall function 1000AA38: __lock.LIBCMT ref: 1000AAB7
                                                                                                                                                                                                                              • Part of subcall function 1000AA38: ___addlocaleref.LIBCMT ref: 1000AAD6
                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 1000AB4B
                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000000,?,?,?,1000A968,?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001), ref: 1000AB63
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$AddressErrorLastProc$CurrentHandleIncrementInterlockedModuleSleepThread___addlocaleref__calloc_crt__calloc_impl__lock
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1081334783-0
                                                                                                                                                                                                                            • Opcode ID: 47baad0c142978dd281d06efe9ff58a8f45b381e9549035b39ead8b204b2342f
                                                                                                                                                                                                                            • Instruction ID: 6fb4e631f38a478814a727dc28711fd6a3486464b3ce86ddb14d750e3725a89c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 47baad0c142978dd281d06efe9ff58a8f45b381e9549035b39ead8b204b2342f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0BF028329016325EF726AB746C09B9E3A91DF067F07118318F540D70E5CF34DC808690
                                                                                                                                                                                                                            Function 10013A80 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 10013A8F
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 10013AB5
                                                                                                                                                                                                                            • GetModuleFileNameExW.PSAPI(00000000,00000000,?,?), ref: 10013ACD
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,?), ref: 10013AD5
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseHandle$FileModuleNameOpenProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3706008839-0
                                                                                                                                                                                                                            • Opcode ID: 77a01a2355183141ac97614d7ed4b7053512745596251045c5cd6b166a56d9cf
                                                                                                                                                                                                                            • Instruction ID: 9d03786ab276ef560676e71944a6f241f9687970605c8b5740b5995641b249e1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77a01a2355183141ac97614d7ed4b7053512745596251045c5cd6b166a56d9cf
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BEF090363042216FE211CB6AEC88D6F37EDEFC9A11B054818F544C3200DA30DC0AC6B2
                                                                                                                                                                                                                            Function 10013AE0 Relevance: 6.0, APIs: 4, Instructions: 42COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 10013AEF
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000), ref: 10013B15
                                                                                                                                                                                                                            • GetModuleFileNameExA.PSAPI(00000000,00000000,?,?), ref: 10013B2D
                                                                                                                                                                                                                            • CloseHandle.KERNEL32(00000000,00000000,00000000,?,?), ref: 10013B35
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CloseHandle$FileModuleNameOpenProcess
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3706008839-0
                                                                                                                                                                                                                            • Opcode ID: 8cc178218c7d8c3221216592da3333f16c171a7615b685b5cff0377258111b15
                                                                                                                                                                                                                            • Instruction ID: 8e40d057b3745753bf0ea22a452f5ad3ee9e323a75b10f58dd7a4a987a81d136
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8cc178218c7d8c3221216592da3333f16c171a7615b685b5cff0377258111b15
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00F06D763053616BE211DB29EC88E6B37A9EBC9A11B054919F604C3200DB30EC4AC6B1
                                                                                                                                                                                                                            Function 10007DB3 Relevance: 6.0, APIs: 4, Instructions: 39threadCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 1000A9B0: TlsGetValue.KERNEL32(00000000,1000AB0C,?,?,?,1000A968,?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001), ref: 1000A9B7
                                                                                                                                                                                                                              • Part of subcall function 1000A9B0: TlsSetValue.KERNEL32(00000000,?,?,1000A968,?,1000ACF2,00000000,00000000,10008BC3,00000000,?,?,00000001,?,?,10008C27), ref: 1000A9D8
                                                                                                                                                                                                                              • Part of subcall function 1000A995: TlsGetValue.KERNEL32(?,10007DC4,00000000), ref: 1000A99F
                                                                                                                                                                                                                            • GetLastError.KERNEL32(00000000,?,00000000), ref: 10007DDC
                                                                                                                                                                                                                            • ExitThread.KERNEL32 ref: 10007DE3
                                                                                                                                                                                                                            • GetCurrentThreadId.KERNEL32 ref: 10007DE9
                                                                                                                                                                                                                            • __freefls@4.LIBCMT ref: 10007E0A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: Value$Thread$CurrentErrorExitLast__freefls@4
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3657912857-0
                                                                                                                                                                                                                            • Opcode ID: 64a50246a69103428987866c6c5c24afc67ad888acb03d37522b74bef4819570
                                                                                                                                                                                                                            • Instruction ID: 77834a4035ff60ce0f3138a5f24efa19d5a290510d67734f4d47669ef0895791
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 64a50246a69103428987866c6c5c24afc67ad888acb03d37522b74bef4819570
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC01D67C9016519FF305EB70CC48A4E37F9FF492C0B228569F9098712ADB38E882CB52
                                                                                                                                                                                                                            Function 10007AF0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMONLIBRARYCODE
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog3.LIBCMT ref: 10007AF7
                                                                                                                                                                                                                            • __CxxThrowException@8.LIBCMT ref: 10007B29
                                                                                                                                                                                                                              • Part of subcall function 10008D7B: RaiseException.KERNEL32(?,?,10008876,?,?,?,?,?,10008876,?,1001BB8C,1001F1E4), ref: 10008DBB
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • invalid string position, xrefs: 10007AFC
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001A.00000002.2547820943.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547796250.0000000010000000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547851181.0000000010019000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547878624.000000001001E000.00000004.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000001A.00000002.2547901263.0000000010022000.00000002.00000001.01000000.0000000A.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_26_2_10000000_nfregdrv.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ExceptionException@8H_prolog3RaiseThrow
                                                                                                                                                                                                                            • String ID: invalid string position
                                                                                                                                                                                                                            • API String ID: 1961742612-1799206989
                                                                                                                                                                                                                            • Opcode ID: 65eb9927a461a61c6ced63933107e4e21b974b836ce3081774b1cc0b4902cc7c
                                                                                                                                                                                                                            • Instruction ID: d17f9ad7a6bda8f05d9bf2ec8c2e610a9defb4f0618d30455176f24681aaa848
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 65eb9927a461a61c6ced63933107e4e21b974b836ce3081774b1cc0b4902cc7c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E1E0E275900458ABEB00DBD4CC45BDEB778FB18350F400129E245BB48AEFB8A688CB61

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:3.1%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                            Signature Coverage:0%
                                                                                                                                                                                                                            Total number of Nodes:26
                                                                                                                                                                                                                            Total number of Limit Nodes:1
                                                                                                                                                                                                                            execution_graph 3030 f21180 3031 f21192 3030->3031 3034 f21114 3031->3034 3033 f2124c 3035 f2111f 3034->3035 3036 f21a35 3035->3036 3039 f2143c 3035->3039 3036->3033 3038 f21afc 3038->3033 3040 f21447 3039->3040 3045 f2143c OpenSCManagerW 3040->3045 3046 f21aff 3040->3046 3041 f21b60 3053 f214e0 3041->3053 3043 f21b79 3043->3038 3045->3041 3047 f21b41 3046->3047 3051 f21aff OpenSCManagerW 3047->3051 3052 f2143c OpenSCManagerW 3047->3052 3048 f21b60 3049 f214e0 OpenSCManagerW 3048->3049 3050 f21b79 3049->3050 3050->3041 3051->3048 3052->3048 3054 f21f10 OpenSCManagerW 3053->3054 3056 f21f98 3054->3056 3056->3043 3057 f21ae8 3058 f21af5 3057->3058 3059 f2143c OpenSCManagerW 3058->3059 3060 f21afc 3059->3060

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 00F214E0 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 0 f214e0-f21f53 2 f21f55-f21f58 0->2 3 f21f5b-f21f5f 0->3 2->3 4 f21f61-f21f64 3->4 5 f21f67-f21f96 OpenSCManagerW 3->5 4->5 6 f21f98-f21f9e 5->6 7 f21f9f-f21fbc 5->7 6->7
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 00F21F89
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.3011316915.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_f20000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ManagerOpen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1889721586-0
                                                                                                                                                                                                                            • Opcode ID: 276042616e2849e4b8a6c9ef7ba29ac79d45efa4e4d61ccc35f00f3fa9c61b8a
                                                                                                                                                                                                                            • Instruction ID: b561f3d2b276c9d8202ae4457f85a6b60666cc97d1482ce4bde893067a457539
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 276042616e2849e4b8a6c9ef7ba29ac79d45efa4e4d61ccc35f00f3fa9c61b8a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 152138B6D003199FDB10CF9AD944ADEFBF5FB58310F14852EE429A7200C375A904CBA4
                                                                                                                                                                                                                            Function 00F21F08 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 10 f21f08-f21f53 11 f21f55-f21f58 10->11 12 f21f5b-f21f5f 10->12 11->12 13 f21f61-f21f64 12->13 14 f21f67-f21f96 OpenSCManagerW 12->14 13->14 15 f21f98-f21f9e 14->15 16 f21f9f-f21fbc 14->16 15->16
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 00F21F89
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000001E.00000002.3011316915.0000000000F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_30_2_f20000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ManagerOpen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1889721586-0
                                                                                                                                                                                                                            • Opcode ID: 548db3d21c44df78b5ca2374981f2befae7d7cba85c5c60fdc6021d82cf5c463
                                                                                                                                                                                                                            • Instruction ID: 5b001440535647c5da9fae531c7cf0e195df3f75799c8ab87ca433d64ae0c481
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 548db3d21c44df78b5ca2374981f2befae7d7cba85c5c60fdc6021d82cf5c463
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F52125B6D002598FDB14CFA9D984ADEFBB5FB99310F14852EE429A7200C375A905CBA4

                                                                                                                                                                                                                            Execution Graph

                                                                                                                                                                                                                            Execution Coverage:12.2%
                                                                                                                                                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                                                                                                                                                            Signature Coverage:3.7%
                                                                                                                                                                                                                            Total number of Nodes:80
                                                                                                                                                                                                                            Total number of Limit Nodes:8
                                                                                                                                                                                                                            execution_graph 45643 653cf11 45644 653cf14 45643->45644 45647 653d22f 45644->45647 45648 653d234 45647->45648 45649 6533350 Shell_NotifyIconW 45648->45649 45650 653cfa7 45649->45650 45593 65322c0 45594 65322d2 45593->45594 45597 6533241 45594->45597 45598 6532339 45597->45598 45600 653324e 45597->45600 45599 6533297 45600->45599 45605 6533350 Shell_NotifyIconW 45600->45605 45606 6533341 45600->45606 45601 65332bc 45601->45599 45610 6533587 45601->45610 45617 6533598 45601->45617 45605->45601 45607 653334a 45606->45607 45608 6532634 Shell_NotifyIconW 45607->45608 45609 653339e 45608->45609 45611 6532634 Shell_NotifyIconW 45610->45611 45612 65335b8 45610->45612 45611->45612 45614 65335d9 45612->45614 45615 6533350 Shell_NotifyIconW 45612->45615 45613 65335f8 45613->45599 45614->45613 45616 6533350 Shell_NotifyIconW 45614->45616 45615->45614 45616->45613 45618 6532634 Shell_NotifyIconW 45617->45618 45619 65335b8 45618->45619 45620 65335d9 45619->45620 45622 6533350 Shell_NotifyIconW 45619->45622 45621 65335f8 45620->45621 45623 6533350 Shell_NotifyIconW 45620->45623 45621->45599 45622->45620 45623->45621 45651 6532d10 45652 6532d5b CreateWindowExW 45651->45652 45654 6532dc5 45652->45654 45624 134239d 45625 13423aa 45624->45625 45627 13423b5 45624->45627 45632 1342a08 45625->45632 45635 13429f9 45625->45635 45626 13424b1 45627->45626 45628 1342a08 ConnectNamedPipe 45627->45628 45629 13429f9 ConnectNamedPipe 45627->45629 45628->45627 45629->45627 45634 1342a15 45632->45634 45639 1341fd8 45632->45639 45634->45627 45636 1342a00 45635->45636 45637 1341fd8 ConnectNamedPipe 45636->45637 45638 1342a15 45637->45638 45638->45627 45640 1342a48 ConnectNamedPipe 45639->45640 45642 1342ae8 45640->45642 45668 13423ce 45670 13423cf 45668->45670 45669 13424b1 45670->45669 45671 1342a08 ConnectNamedPipe 45670->45671 45672 13429f9 ConnectNamedPipe 45670->45672 45671->45670 45672->45670 45572 653b3d8 45573 653b3dc 45572->45573 45577 653ce58 45573->45577 45581 653ce48 45573->45581 45578 653ce61 45577->45578 45585 6533350 45578->45585 45582 653ce4c 45581->45582 45583 6533350 Shell_NotifyIconW 45582->45583 45584 653b452 45583->45584 45586 6533383 45585->45586 45589 6532634 45586->45589 45590 65333f0 Shell_NotifyIconW 45589->45590 45592 65334ef 45590->45592 45673 13427c8 45674 1342829 CreateNamedPipeA 45673->45674 45676 134290b 45674->45676 45655 c2d0040 45656 c2d005c 45655->45656 45657 c2d007d 45655->45657 45660 c2d01ec 45656->45660 45664 c2d01f8 45656->45664 45662 c2d024b LoadLibraryA 45660->45662 45663 c2d02de 45662->45663 45666 c2d024b LoadLibraryA 45664->45666 45667 c2d02de 45666->45667

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 013427C8 Relevance: 1.6, APIs: 1, Instructions: 121pipeCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateNamedPipeA.KERNEL32(?,?,?,?,?,?,?,?), ref: 013428F9
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003682338.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_1340000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateNamedPipe
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2489174969-0
                                                                                                                                                                                                                            • Opcode ID: 8203f9623456052e85d0e97c894b99252824b72b9fccd76d97d9a8ca342d63f5
                                                                                                                                                                                                                            • Instruction ID: 74b5ed609db15b65032e14b0f448f555743942c14073a362d3e8e80da2bb67db
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8203f9623456052e85d0e97c894b99252824b72b9fccd76d97d9a8ca342d63f5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D85100B5D003599FEB10CFA9D884B9EBFF5FB48324F148129E818AB291D774A840CF91
                                                                                                                                                                                                                            Function 0BA46808 Relevance: .4, Instructions: 381COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 76292ef09b8a9b4e4afcb81c49a04671091f53cfaf991ccc1c6dee28327af842
                                                                                                                                                                                                                            • Instruction ID: 5b4b1bbdcfcaab809702c74c35882afd4e4b090cbfbdfc39b7ffa9ab8bd62284
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 76292ef09b8a9b4e4afcb81c49a04671091f53cfaf991ccc1c6dee28327af842
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2AE1A270A002059FCF15DF68D894AAEBBF2FF89300F5585A9E405EB261DB31ED45CB90
                                                                                                                                                                                                                            Function 0BA40040 Relevance: 44.3, Strings: 33, Instructions: 3077COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 0 ba40040-ba4354f 696 ba43599-ba435a0 0->696 697 ba43551-ba43568 696->697 698 ba435a2-ba435a7 696->698 699 ba435a8-ba435da 697->699 700 ba4356a-ba43596 697->700 700->696
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: $#cq$(:p$(Ahq$(ocq$, cq$,gq$,gq$0"cq$09p$4'cq$4ccq$H;p$Hbdq$LRcq$Ldp$PHcq$Ppcq$X#cq$\;cq$\scq$p cq$p<cq$pBhq$p`cq$x hq$xgq$|bdq$|hq$hq$$cq$:p$;cq$ccq
                                                                                                                                                                                                                            • API String ID: 0-2565437080
                                                                                                                                                                                                                            • Opcode ID: b62fa37b9f7e11865e5a514bc5268fb6eaa1d56ef9c4071492e004951d4f3581
                                                                                                                                                                                                                            • Instruction ID: cc7bc91104d11daffb7883fd45ccd193789073c4b66c2b83da3991529adf3f38
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b62fa37b9f7e11865e5a514bc5268fb6eaa1d56ef9c4071492e004951d4f3581
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 97535FB1A00218AFEB669B94CC45BED7BB6FB88300F5040E9E6096B2D1CF755E84DF15
                                                                                                                                                                                                                            Function 01341FD8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 73pipeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1406 1341fd8-1342ae6 ConnectNamedPipe 1409 1342aef-1342b37 1406->1409 1410 1342ae8-1342aee 1406->1410 1415 1342b47 1409->1415 1416 1342b39-1342b3d 1409->1416 1410->1409 1419 1342b48 1415->1419 1416->1415 1417 1342b3f-1342b42 call 13419e8 1416->1417 1417->1415 1419->1419
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • ConnectNamedPipe.KERNEL32(?,?), ref: 01342AD6
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003682338.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_1340000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ConnectNamedPipe
                                                                                                                                                                                                                            • String ID: $gq
                                                                                                                                                                                                                            • API String ID: 2191148154-38943176
                                                                                                                                                                                                                            • Opcode ID: 80637bbf7855b4b3a9a4845e9f3c15aca8899d5572f515a1d16bd3d081dda696
                                                                                                                                                                                                                            • Instruction ID: 9715e187cb896fb2748adb391a197a64e358964b56145c3479ed158121001129
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 80637bbf7855b4b3a9a4845e9f3c15aca8899d5572f515a1d16bd3d081dda696
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8031E0B1D01218DFDB24CF99D989B9EBFF5BB08314F148059E809BB390D7B5A844CBA5
                                                                                                                                                                                                                            Function 01342A3D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71pipeCOMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1420 1342a3d-1342ae6 ConnectNamedPipe 1424 1342aef-1342b37 1420->1424 1425 1342ae8-1342aee 1420->1425 1430 1342b47 1424->1430 1431 1342b39-1342b3d 1424->1431 1425->1424 1434 1342b48 1430->1434 1431->1430 1432 1342b3f-1342b42 call 13419e8 1431->1432 1432->1430 1434->1434
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • ConnectNamedPipe.KERNEL32(?,?), ref: 01342AD6
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003682338.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_1340000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ConnectNamedPipe
                                                                                                                                                                                                                            • String ID: $gq
                                                                                                                                                                                                                            • API String ID: 2191148154-38943176
                                                                                                                                                                                                                            • Opcode ID: 626a1d6e30115cbe3c6bb64e78908f044b0a65beb596c540131bfbefc9d11087
                                                                                                                                                                                                                            • Instruction ID: 179f4238e125ce3c7334d7a998183ebea38b8d14021921d1001d3ac3b53dd1f2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 626a1d6e30115cbe3c6bb64e78908f044b0a65beb596c540131bfbefc9d11087
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 413100B0D01218DFDB24CF99D989B9EBFF5BB48304F148019E409BB390CB75A844CBA1
                                                                                                                                                                                                                            Function 0BA4FCF8 Relevance: 2.7, Strings: 2, Instructions: 200COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1435 ba4fcf8-ba4fd18 1439 ba4fd23-ba4fd3f 1435->1439 1440 ba4fd1a-ba4fd22 1435->1440 1444 ba4fd41-ba4fd49 1439->1444 1445 ba4fd4a-ba4fd66 1439->1445 1449 ba4fd71-ba4fda3 1445->1449 1450 ba4fd68-ba4fd70 1445->1450 1454 ba4fda9-ba4fdac 1449->1454 1455 ba4fdd7-ba4fe35 1454->1455 1456 ba4fdae 1454->1456 1465 ba4fe37-ba4fe39 1455->1465 1466 ba4fe61-ba4fe86 1455->1466 1457 ba4fdc5-ba4fdcb 1456->1457 1458 ba4fdb5-ba4fdbb 1456->1458 1459 ba4fdcd 1456->1459 1460 ba4fdbd-ba4fdc3 1456->1460 1461 ba4fdd3-ba4fdd6 1457->1461 1458->1461 1459->1461 1460->1461 1467 ba4fe8d-ba4feec 1465->1467 1468 ba4fe3b-ba4fe43 1465->1468 1466->1467 1479 ba4feee 1467->1479 1480 ba4fef8-ba4ff27 1467->1480 1469 ba4fe45 1468->1469 1470 ba4fe4f-ba4fe5e 1468->1470 1469->1470 1479->1480
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: (gq$(gq
                                                                                                                                                                                                                            • API String ID: 0-3425431731
                                                                                                                                                                                                                            • Opcode ID: 72616c93d5e1fcc555d6b5eedd27a44a45dfff9d9e4aa06e33ac8c843d61f275
                                                                                                                                                                                                                            • Instruction ID: bc54298750f7a0870ebab4c94d5e29f80eca4897d782fb041ef8e11a9ec7bbaf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 72616c93d5e1fcc555d6b5eedd27a44a45dfff9d9e4aa06e33ac8c843d61f275
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B15144717082808FCB16EF7CD45466E7FE1EF8621171845AAD809DB392DB39ED06C791
                                                                                                                                                                                                                            Function 0BA4A110 Relevance: 1.7, Strings: 1, Instructions: 419COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 0-65463447
                                                                                                                                                                                                                            • Opcode ID: c36603bc8a0bd00c3514b576568a7ce397e5cf18c5dd61f3d6015f66e3059098
                                                                                                                                                                                                                            • Instruction ID: 76f46af44c6a01e7e34ef9b90d85c43ba83d8842f1a8d1e00a614908b4c1b560
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c36603bc8a0bd00c3514b576568a7ce397e5cf18c5dd61f3d6015f66e3059098
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F1F16BB4B406068BCF16DF69D550AAEBBF6EFC4740F508969E816EB344EB74DC058B80
                                                                                                                                                                                                                            Function 0BA43F50 Relevance: 1.7, Strings: 1, Instructions: 402COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: $cq
                                                                                                                                                                                                                            • API String ID: 0-2110363268
                                                                                                                                                                                                                            • Opcode ID: 5b771674315603f28e4012bc839233da92270f2022a680c237cdd7d7b59b4199
                                                                                                                                                                                                                            • Instruction ID: ae2b3d708fedd7c64f625863d7220771d8dd1922cca2df34ae5f663e852d532b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5b771674315603f28e4012bc839233da92270f2022a680c237cdd7d7b59b4199
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0EF10874B002059FCB14DF69C494AAEBBF6EFC8610B258569E906EB365DF31DD02CB90
                                                                                                                                                                                                                            Function 013427BD Relevance: 1.6, APIs: 1, Instructions: 122pipeCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateNamedPipeA.KERNEL32(?,?,?,?,?,?,?,?), ref: 013428F9
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003682338.0000000001340000.00000040.00000800.00020000.00000000.sdmp, Offset: 01340000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_1340000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateNamedPipe
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 2489174969-0
                                                                                                                                                                                                                            • Opcode ID: a31bc17200f2438917d9811675f67dd86f4293702debca8753fd57267d6cbdc8
                                                                                                                                                                                                                            • Instruction ID: d245d57a39fac749321c1dccf9db86bd06fac71c5d4509f2050f3689aced269f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a31bc17200f2438917d9811675f67dd86f4293702debca8753fd57267d6cbdc8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 175120B5D002199FEB10CFA9D884B9EBFF1FB48314F148129E818BB295D774A841CF91
                                                                                                                                                                                                                            Function 0BA4AE48 Relevance: 1.6, Strings: 1, Instructions: 362COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: $Yqq
                                                                                                                                                                                                                            • API String ID: 0-2086665047
                                                                                                                                                                                                                            • Opcode ID: 70d4a1b736fa47a976fc44b996cea9e68467bfd74296d19c23ec992846af9ccc
                                                                                                                                                                                                                            • Instruction ID: d6860ee7056c220148ac483529b79e0f4df38efade60c824509fa03036aec006
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 70d4a1b736fa47a976fc44b996cea9e68467bfd74296d19c23ec992846af9ccc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 96D19870B05211DFDF258B28C45472ABBF2AFC5B41F54816AE8169B394DB31DD82CBE0
                                                                                                                                                                                                                            Function 065333DD Relevance: 1.6, APIs: 1, Instructions: 110windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Shell_NotifyIconW.SHELL32(?,-00000428), ref: 065334DA
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4032258571.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_6530000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: IconNotifyShell_
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1144537725-0
                                                                                                                                                                                                                            • Opcode ID: a0f25cd5894cfa916e039ef36edb92f54909970d247a28ae0a3a52165f80cfba
                                                                                                                                                                                                                            • Instruction ID: 8de0f7c4ae54eb57ad6240abf156011c78d09786e9e860378e6b29b93ea713a0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0f25cd5894cfa916e039ef36edb92f54909970d247a28ae0a3a52165f80cfba
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B04108F0D012688FDB60CF69C984BD9BBF8AB49314F5480D9D60CA7252D7745A88CF69
                                                                                                                                                                                                                            Function 06532634 Relevance: 1.6, APIs: 1, Instructions: 100windowCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • Shell_NotifyIconW.SHELL32(?,-00000428), ref: 065334DA
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4032258571.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_6530000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: IconNotifyShell_
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1144537725-0
                                                                                                                                                                                                                            • Opcode ID: cb6cb69d0d8fbd8fcfa65b84b9a616126a7f658ccd404564eb759aeed726c58e
                                                                                                                                                                                                                            • Instruction ID: 6f1b95577aeaf8a2db2eb6c5121a32ef5341edf781e8985a4442cd1464136a31
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb6cb69d0d8fbd8fcfa65b84b9a616126a7f658ccd404564eb759aeed726c58e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A741E5B0D012688FDB60CF59C98479DBBF8BB48704F9080D9D60CA7251D7749A88CF59
                                                                                                                                                                                                                            Function 0C2D01EC Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(?), ref: 0C2D02CC
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4047611195.000000000C2D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2D0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_c2d0000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: LibraryLoad
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1029625771-0
                                                                                                                                                                                                                            • Opcode ID: c25e4f98cce401476f467d08dc9128122c7137252b93c11cf8a981408943e4d5
                                                                                                                                                                                                                            • Instruction ID: a41ec99b5a9c4f3797ec766f136e67fc2fcae7d3fac2d13c9e919523a8e8d800
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c25e4f98cce401476f467d08dc9128122c7137252b93c11cf8a981408943e4d5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD4188B0D21259CFDB20CFA9C88979EBBF1FF48310F148229E815A7664D7B49841CF81
                                                                                                                                                                                                                            Function 0C2D01F8 Relevance: 1.6, APIs: 1, Instructions: 91libraryCOMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • LoadLibraryA.KERNELBASE(?), ref: 0C2D02CC
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4047611195.000000000C2D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0C2D0000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_c2d0000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: LibraryLoad
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1029625771-0
                                                                                                                                                                                                                            • Opcode ID: 2cd7b525aba660ad4d8bdead4b362cb5e3ebd744b43e573dfb23532e4cf4429c
                                                                                                                                                                                                                            • Instruction ID: e9b1aca185227074791f6d7c7830036c7596488a3d4a0680cec123686d94d144
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2cd7b525aba660ad4d8bdead4b362cb5e3ebd744b43e573dfb23532e4cf4429c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B3155B0D21259CFDB20CFA9C88979EBBF5FF48310F14852AE815A7664D7B4A841CF91
                                                                                                                                                                                                                            Function 06532D08 Relevance: 1.6, APIs: 1, Instructions: 74COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateWindowExW.USER32(?,00000000,00000000,?,?,00000000,?,?,?,?,?,?), ref: 06532DB6
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4032258571.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_6530000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                                                                            • Opcode ID: 90aa00560f860039037c519ab898f632583282b2638817d12dd84217ffcf12cc
                                                                                                                                                                                                                            • Instruction ID: 837b5427eff8cdd188c0efe6023c9e706e5ecf24d55939eaa081421a12d69438
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 90aa00560f860039037c519ab898f632583282b2638817d12dd84217ffcf12cc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 45312576900629AFCF11CF99D884ADEBBB5FF0C714F01821AE918B7210C375AA55CFA0
                                                                                                                                                                                                                            Function 06532D10 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • CreateWindowExW.USER32(?,00000000,00000000,?,?,00000000,?,?,?,?,?,?), ref: 06532DB6
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4032258571.0000000006530000.00000040.00000800.00020000.00000000.sdmp, Offset: 06530000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_6530000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CreateWindow
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 716092398-0
                                                                                                                                                                                                                            • Opcode ID: 75477f902cf489beb66aaf54de758100f56718168db5d32aed9e8179e0fb3f39
                                                                                                                                                                                                                            • Instruction ID: 7db2c1a9a844efda2af7f470bbbbda22795cca11fd3b551c85f260e6ebffddb3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 75477f902cf489beb66aaf54de758100f56718168db5d32aed9e8179e0fb3f39
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F31E2B6900629AFCF11CF99D884ADEBBB4FF0C714F05861AE918A7250C375A955CFA0
                                                                                                                                                                                                                            Function 0BA459D8 Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: d
                                                                                                                                                                                                                            • API String ID: 0-2564639436
                                                                                                                                                                                                                            • Opcode ID: a65a6bc4c5bedf47f88d79dd8afa62667d942bb1ea11bd643e316ce09d167133
                                                                                                                                                                                                                            • Instruction ID: 5c417a175b2b2b2dfd3f8b14ea5510be4510920c47d95adfda60eee7ec41d072
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a65a6bc4c5bedf47f88d79dd8afa62667d942bb1ea11bd643e316ce09d167133
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00C14835A00606CFCB24CF59C48096ABBF2FF98350B66C969D45A9B765D730FC46CB90
                                                                                                                                                                                                                            Function 0BA45E10 Relevance: 1.5, Strings: 1, Instructions: 274COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: ,gq
                                                                                                                                                                                                                            • API String ID: 0-3993090981
                                                                                                                                                                                                                            • Opcode ID: a8c98acf3bec1bb20a0216c44141e84588a22eca62875a6a497137159acbbdc8
                                                                                                                                                                                                                            • Instruction ID: 70d85df06f066fe8ebe1111f151f2f6488a083fcd3ead2cbeca841c38bd01655
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8c98acf3bec1bb20a0216c44141e84588a22eca62875a6a497137159acbbdc8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2A15974B042009FCB05DF6CD49485ABBF2EFC931076589A9E506DB366DB31EC46CBA1
                                                                                                                                                                                                                            Function 0BA4B6A0 Relevance: 1.5, Strings: 1, Instructions: 249COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: ,gq
                                                                                                                                                                                                                            • API String ID: 0-3993090981
                                                                                                                                                                                                                            • Opcode ID: 0ff5d0e3b6687794d00710e0014287fea3f61f08967b6f2e8a93aff6cb5b5256
                                                                                                                                                                                                                            • Instruction ID: 3d2126915e479d2a5c101d1fa12a3821906ef3c8794d6829338df7d0ccfa1818
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ff5d0e3b6687794d00710e0014287fea3f61f08967b6f2e8a93aff6cb5b5256
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6A14D70A002099FCB15DFA9C5549AEBBF2FFC8740F508569E9169B365EB30ED06CB90
                                                                                                                                                                                                                            Function 0BA48FC0 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: Hgq
                                                                                                                                                                                                                            • API String ID: 0-2103768809
                                                                                                                                                                                                                            • Opcode ID: 95d93a2eff01b3cb8060e52c4efd46b628023f87b781b56346cc0c30c7e58943
                                                                                                                                                                                                                            • Instruction ID: 5b136f8688a2ead53cf02c092a5bb476fce36226c4aa59702410985e10d045a9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 95d93a2eff01b3cb8060e52c4efd46b628023f87b781b56346cc0c30c7e58943
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A0719E71B042449FCB05DF68D8449AFBBF7EFC9210B15849AE505DB262CB30DE06CBA1
                                                                                                                                                                                                                            Function 0BA43F3F Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: 4'cq
                                                                                                                                                                                                                            • API String ID: 0-182294849
                                                                                                                                                                                                                            • Opcode ID: 2486cbb09db38d2a333623ddb5e88e4ec7b51602686d8809cbe9a44fd5b7aa9d
                                                                                                                                                                                                                            • Instruction ID: 35fbf4637b348bf28fc7e455a1b9072eba68a6c9795e8407a696a292a6f7a0bd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2486cbb09db38d2a333623ddb5e88e4ec7b51602686d8809cbe9a44fd5b7aa9d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9713970B002159FCB15DFA9C850AAEBBF6EFC8600B148569D905EB355EF31ED42CB90
                                                                                                                                                                                                                            Function 0BA4B2D0 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: $cq
                                                                                                                                                                                                                            • API String ID: 0-2110363268
                                                                                                                                                                                                                            • Opcode ID: ba3ce227a3104b8463b3bf09df0cb9dc85e04f824af212756c8eff56c3579879
                                                                                                                                                                                                                            • Instruction ID: 61a028cdb0f1c247cb3de82fd32e901a06600106ff609e4672dd769c0f723862
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ba3ce227a3104b8463b3bf09df0cb9dc85e04f824af212756c8eff56c3579879
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2612735A00604DFCB19DF69D458AAEB7F5FF88711F508469E916E72A4DB30EC42CBA0
                                                                                                                                                                                                                            Function 0BA4A0B7 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 0-65463447
                                                                                                                                                                                                                            • Opcode ID: f49a6a4f051b00f97f126fadb70f5b24acd73c0c5eb1268145318d18640f1ebc
                                                                                                                                                                                                                            • Instruction ID: ca86511915ceb5d3254f061c74ba03a3263041f7db0b045c6130682665655278
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f49a6a4f051b00f97f126fadb70f5b24acd73c0c5eb1268145318d18640f1ebc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C7414C74A006059FCB16DF68D9A0AAEBBF6FF88340F448569E416EB361DB34DC45CB40
                                                                                                                                                                                                                            Function 0BA4A0FF Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 0-65463447
                                                                                                                                                                                                                            • Opcode ID: f73614fd735d386d017e5e8c616e29bf5e1af091b456934cf6f9612f9c9313e1
                                                                                                                                                                                                                            • Instruction ID: f9659c2f7a752068b468adf699a67d070f138d86230fb716aebaeefb4e45b4db
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f73614fd735d386d017e5e8c616e29bf5e1af091b456934cf6f9612f9c9313e1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50418170A002059FCB16DFA9D994AAEBBF6FF84340F148429E816EB351DF70AC05CB80
                                                                                                                                                                                                                            Function 0BA4CCD8 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: `]hq
                                                                                                                                                                                                                            • API String ID: 0-4095751673
                                                                                                                                                                                                                            • Opcode ID: a74ee55549a20edb19d8a3a98bcbcc3bdddcd0c2237f8cbe6c5d959dddce1e61
                                                                                                                                                                                                                            • Instruction ID: c8a5d7c0bd9858ce7f83f92fa6f62dd43467f32dcaef86e460916f74a79002a2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a74ee55549a20edb19d8a3a98bcbcc3bdddcd0c2237f8cbe6c5d959dddce1e61
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3C4193357016148FCB15DF6DC984A6ABBF5EFC8320B1580A9D909CB365EB30EC42CB61
                                                                                                                                                                                                                            Function 0BA4886C Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: ^p
                                                                                                                                                                                                                            • API String ID: 0-2464009452
                                                                                                                                                                                                                            • Opcode ID: 847ca2ecda316e8a2ab70359c155214454ea2c95d71b89fdcdde12103049d3da
                                                                                                                                                                                                                            • Instruction ID: e8281266921dc189ddae3eecfce6a316aa864cbee4152c9774fa7fa7418fc63f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 847ca2ecda316e8a2ab70359c155214454ea2c95d71b89fdcdde12103049d3da
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AB412C35B10214CFCB14EB64E9546AEB7F3BFC8611B258429D806AB3A4DF35ED06CB50
                                                                                                                                                                                                                            Function 0BA45E00 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: ,gq
                                                                                                                                                                                                                            • API String ID: 0-3993090981
                                                                                                                                                                                                                            • Opcode ID: d810013137d4b368a33f7783c3885e2f0b372f22b3d8abdc41a8ad3452d9e973
                                                                                                                                                                                                                            • Instruction ID: bbe586c75038e082693a8e61dd462e2d0bd7695a5678e700ed8acc012ca60996
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d810013137d4b368a33f7783c3885e2f0b372f22b3d8abdc41a8ad3452d9e973
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BC414974B04600DFCB59DB3CD05492A7BE3EFD834176188A8E506CB3A6DB31EC068B92
                                                                                                                                                                                                                            Function 0BA43720 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: (gq
                                                                                                                                                                                                                            • API String ID: 0-1972435379
                                                                                                                                                                                                                            • Opcode ID: c33217f62a43bec6b04bb5af9a806fad1585eca43ae2877a9be90f859ac6fec0
                                                                                                                                                                                                                            • Instruction ID: bf1b42ae126ceae6498d66d7b187c372b8b1614918d5e1011e5aa0be326b7e09
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c33217f62a43bec6b04bb5af9a806fad1585eca43ae2877a9be90f859ac6fec0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 12419874A002058FDF00CF19C484A6AFBF3FFC9310B268969D46AAB751CB34E806CB48
                                                                                                                                                                                                                            Function 0BA4A758 Relevance: 1.3, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: 4'cq
                                                                                                                                                                                                                            • API String ID: 0-182294849
                                                                                                                                                                                                                            • Opcode ID: 09561147b10edeb46c6e2aabf9d8dc0d5052aca88a283828e58e890046e47431
                                                                                                                                                                                                                            • Instruction ID: 6c031683fe00c1fb227b7c74540e26b7c9f9df7e3b5e06fb13536cf89fe6010f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09561147b10edeb46c6e2aabf9d8dc0d5052aca88a283828e58e890046e47431
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4431B175A00205DFCB14CF64D588AAA77F6FF89310B2084ACE806DB361DB30ED41CBA0
                                                                                                                                                                                                                            Function 0BA43EB8 Relevance: 1.3, Strings: 1, Instructions: 53COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: 4'cq
                                                                                                                                                                                                                            • API String ID: 0-182294849
                                                                                                                                                                                                                            • Opcode ID: 1b2b4e8372aa4fbe96c838711d5f4833d9bb28c9e2a20cd5a691346fffa0955c
                                                                                                                                                                                                                            • Instruction ID: 301ef4ec5bb7b79d9f9452d64c2329d1451c9a023eee1be26cf6beb273f89f95
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1b2b4e8372aa4fbe96c838711d5f4833d9bb28c9e2a20cd5a691346fffa0955c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F0169313006018FC72AEB6CE8909AE77E7EFC93103598969E446CB651EF35ED0B8790
                                                                                                                                                                                                                            Function 0BA43EC8 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: 4'cq
                                                                                                                                                                                                                            • API String ID: 0-182294849
                                                                                                                                                                                                                            • Opcode ID: cb0260b2da19d552ef0fdca71c1de4dffb3b51914f6e24221f480e8b990ddd96
                                                                                                                                                                                                                            • Instruction ID: f910f9ec447d60721e37fdf287a96c5ef454a1708127c9e1ecf97d4df8be873d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb0260b2da19d552ef0fdca71c1de4dffb3b51914f6e24221f480e8b990ddd96
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7F06D313006015BC61AEA6DE45196E77EBEFC92503948928E00A8B651EF24AD4683E1
                                                                                                                                                                                                                            Function 0BA448B4 Relevance: .5, Instructions: 496COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 8669818740fe1e9c8a50c2ebf56e8121a958ae75a235ee8177847c3f39d271ff
                                                                                                                                                                                                                            • Instruction ID: f0d12deb8ceb28eaa13f6d8203e800aef286e4143f035f139c261feb56380072
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8669818740fe1e9c8a50c2ebf56e8121a958ae75a235ee8177847c3f39d271ff
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 171245747006058FCB15DF2AC588A6ABBF2FF89301B1584A9E906DB362DF34ED46CB50
                                                                                                                                                                                                                            Function 0BA4BB08 Relevance: .4, Instructions: 399COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 8852a4fd8372bb00f08eee468f48fda1f0c3f21dfbdd368af602cf10cfbcafd8
                                                                                                                                                                                                                            • Instruction ID: 9b3b68e9f9a935c3a82325dad0e159da8f63c9c9a7b2a27c7d7bbe3cd38b9cac
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8852a4fd8372bb00f08eee468f48fda1f0c3f21dfbdd368af602cf10cfbcafd8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38F13A75B046048FCB54DF2AC489A6ABBF2FF85220F5884A9E542CB372CB34ED01CB51
                                                                                                                                                                                                                            Function 0BA4E3C0 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d2106fb4024fddf5f001dfd164853246a210734faabe4568a2ef554842a2a23c
                                                                                                                                                                                                                            • Instruction ID: d393e940fe8bcac4b49c7ed151c8ab222b20e3c8b720fbd251aa806c7fa4fa47
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d2106fb4024fddf5f001dfd164853246a210734faabe4568a2ef554842a2a23c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8B165347047019FDB298F39D444B6ABBF6BF84710B144869E8A6C7B91EB31E941CBA1
                                                                                                                                                                                                                            Function 0BA4D8A0 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: b2766b795f17a4600b6d334ad4604b8052585a7724a615ea2d853e4fa4815eac
                                                                                                                                                                                                                            • Instruction ID: 38ce6a15b1ec836283113f98e7bb0f4914e5ffa17c57b0b87f3d931078d1aa48
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b2766b795f17a4600b6d334ad4604b8052585a7724a615ea2d853e4fa4815eac
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A8C18E70A007019FCB15DF68C584AAABBF2FF89300B5585A9E459DF362DB30ED45CB90
                                                                                                                                                                                                                            Function 0BA4D460 Relevance: .2, Instructions: 246COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: cb61cd0442e7eb3eaade9606c86a3cbf7625ad939798f771aaff892be1127d56
                                                                                                                                                                                                                            • Instruction ID: 8bd1e1e5a8072f5e208a803fd698a8038c37efae58f9cb4b29c345b54c1c3a88
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb61cd0442e7eb3eaade9606c86a3cbf7625ad939798f771aaff892be1127d56
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 04918D70B006159FCF09EB68D858ABEBBE7FFC8341B418429E5069B355DF309D068BA5
                                                                                                                                                                                                                            Function 0BA4A832 Relevance: .2, Instructions: 245COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 232e0ccff61a81073e6d4057efa0884245d7f4ed24762223f73fd25539b45ea6
                                                                                                                                                                                                                            • Instruction ID: 906dc53b5193bfdf822e6ae2ba50e6a2136f17ffae5a08f58d154c187877f858
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 232e0ccff61a81073e6d4057efa0884245d7f4ed24762223f73fd25539b45ea6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D1815830704201EFDF159B2CD454A6A7BE7EFC8350B648829E51ACB3A6DB31DC46C7A1
                                                                                                                                                                                                                            Function 0BA46FE8 Relevance: .2, Instructions: 191COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 64ebc3b02e71f9d538e29e2ce8a47ae299da4646c6e3ab096a1a48bef1336eee
                                                                                                                                                                                                                            • Instruction ID: 9d704f81bd136105ed1d71e779f2f72561995b3d7d7d31ae0de3af7ae32011b2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 64ebc3b02e71f9d538e29e2ce8a47ae299da4646c6e3ab096a1a48bef1336eee
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3B8150B06006019FDB48DF58D45876A7AE2EF85308F61846CD0098F392DBBAD94BCB95
                                                                                                                                                                                                                            Function 0BA46FF8 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d101e21951eefa6dc50da976e47be80d86f06b0c283430fd694998acd126e3ba
                                                                                                                                                                                                                            • Instruction ID: 4e816399a44225cc2b139b59bd041d466a9426750853c428af1da5c7546ce694
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d101e21951eefa6dc50da976e47be80d86f06b0c283430fd694998acd126e3ba
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 97715FB06006019FDB48DF58D45872A7AE6EF85308F60846CD0098F392DBBAD94BCBD5
                                                                                                                                                                                                                            Function 0BA4B68F Relevance: .2, Instructions: 184COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 88376527f40e0ff789d559ff682cd0b850efb66349b4138176f3d7ed34a1b18a
                                                                                                                                                                                                                            • Instruction ID: 1aefc5c65844c52084f190c72709cc8895ef86cc32cfb5bfde1d6e1acde01781
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 88376527f40e0ff789d559ff682cd0b850efb66349b4138176f3d7ed34a1b18a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1F719F70A00609DFCB15DF68C5949AEBBF2FFC8300B548569E406AB365DB30ED06CB90
                                                                                                                                                                                                                            Function 0BA46C88 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 10792f34e0d2fe4760114ac37f0477072e8f60eca68985e2d65d9cee888adead
                                                                                                                                                                                                                            • Instruction ID: fc981feb0fe3293e6fcd35863c3c47db92bfabeca901c5351fb430cab8ff2794
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 10792f34e0d2fe4760114ac37f0477072e8f60eca68985e2d65d9cee888adead
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FF619F31A00609DFCF21CF5DC580AAABBF6FF86310F5585A5E8199B251CB31ED86CB90
                                                                                                                                                                                                                            Function 0BA4AC0F Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c3afb3c8cbe23ec4330f968d07bd7d2fa44fb5d5b7c4f338fc384f85f62e944f
                                                                                                                                                                                                                            • Instruction ID: 45ba047ef0ace57538190b2ac967f1e942107f157e552af5ffca30c852336104
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c3afb3c8cbe23ec4330f968d07bd7d2fa44fb5d5b7c4f338fc384f85f62e944f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1251AD70B442069FDF658FB9C49436B7BB3EBC8746F248829D516CB255EB30CA82C791
                                                                                                                                                                                                                            Function 0BA4D44F Relevance: .2, Instructions: 172COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 3bd62e2bd3c62769dcfb8812c3cfdbe534d342d4a1ce3711507665d4af3ec725
                                                                                                                                                                                                                            • Instruction ID: 15661ff1efd7e45317f621e0c5dcce41b81278e08a26d644df1d02efae082fc3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3bd62e2bd3c62769dcfb8812c3cfdbe534d342d4a1ce3711507665d4af3ec725
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2E516874B002059FDB19DF69D868BAEBAE6FBC8341F548029E906A7394DF349D018B94
                                                                                                                                                                                                                            Function 0BA4DB00 Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 644114f82c789b32f9c4b79f38b873340949c7e1713b86d65636476975b4619c
                                                                                                                                                                                                                            • Instruction ID: 093cdc0bf8d99b79669b63943fcce81f05ac5c141ec99691e3bbc4dad8bf6c89
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 644114f82c789b32f9c4b79f38b873340949c7e1713b86d65636476975b4619c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 17714C70A007059FCB05DF68C584A9ABBF2FF89304B64C969D4599F362D770ED86CB90
                                                                                                                                                                                                                            Function 0BA4D1B9 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 1e5fc1fa73f453cab01cadfd9beb0a7d97b98841d560f79356c703299770295c
                                                                                                                                                                                                                            • Instruction ID: fb0dc42d72c194ce0b2b8063fe7428c9cd36f0b5326c456804bf0edaa1ebdadb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e5fc1fa73f453cab01cadfd9beb0a7d97b98841d560f79356c703299770295c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24513D75A00205DFCB15CF64D494A9DBBF2FF88310F1985A9E845AB366DB31EC81CB50
                                                                                                                                                                                                                            Function 0BA4D1C8 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 845df6f365c35016b165f45c7b43f5b033586260b871fa00ff7f34ff6f5f67b7
                                                                                                                                                                                                                            • Instruction ID: 56b05d06e5ad7b041bc539d05e2dc5b0a9d3f67b18c369dcf7d6243a53852d65
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 845df6f365c35016b165f45c7b43f5b033586260b871fa00ff7f34ff6f5f67b7
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E511C75A00205DFCB15CF64D498AA9BBF2FF89310F1985A9E845EB366DB31EC81CB50
                                                                                                                                                                                                                            Function 0BA4B520 Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: bf0bfa2749242aef6f5702c39fa4174a5d57a4c61fbafd7670fe4ba7b5a6b731
                                                                                                                                                                                                                            • Instruction ID: 4a9fd83ac54011a03904ce49df4ee77ebc1da42c058c7681be421a15d76ff216
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bf0bfa2749242aef6f5702c39fa4174a5d57a4c61fbafd7670fe4ba7b5a6b731
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4417B71B002058FCB14DF39D98496EBBE6FFC865075585A9D50ADB3A5DB30EC01CBA0
                                                                                                                                                                                                                            Function 0BA4AAF0 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 26611afb9afdf844a4ab6bcc11285a2850c5bfcfc213727f8ab247a052d01198
                                                                                                                                                                                                                            • Instruction ID: a72409b30192c33f11e7fa95220d65f290a7441af8810b6ae2b5e66360faab24
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26611afb9afdf844a4ab6bcc11285a2850c5bfcfc213727f8ab247a052d01198
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D31F9337482109FDF259BADE4946AAB7E7EBC8371B14807AE609CB211D762DC43C791
                                                                                                                                                                                                                            Function 0BA459C9 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 07f76d04c30b932c3890fe5a0b3f6ea586cddcdbb76cf139d3d2851d59f83ffe
                                                                                                                                                                                                                            • Instruction ID: bdaadaf407f1274e72d383d81de4fcd3936402e5fa946f139fc48baf4dbea1c6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 07f76d04c30b932c3890fe5a0b3f6ea586cddcdbb76cf139d3d2851d59f83ffe
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB413534A00606CFCB14CF59C484DAABBF2FF99350B19C9A9E5599B361E730F906CB94
                                                                                                                                                                                                                            Function 0BA45578 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: a0aa7ac4f3d0805281513629cc032958e5739a9c249298c5f129a4f55823b366
                                                                                                                                                                                                                            • Instruction ID: 01270f772f956fd0be2c00f940a7f75757cf65bd344d40df6f133e9dcf0c3eb9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0aa7ac4f3d0805281513629cc032958e5739a9c249298c5f129a4f55823b366
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06415975B01610AFCB55DF38D484A6EBBF6EF89340B148568E806CB356CB71ED46CB90
                                                                                                                                                                                                                            Function 0BA45588 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 2de67f8ac05b97ffaea2c34d44c7b5da9784bb63f32e2b8268e95c9a9db96008
                                                                                                                                                                                                                            • Instruction ID: a501e0090a31bb079b22c17cade9d4d27dacb3f525800c1a4b057d89c111a306
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2de67f8ac05b97ffaea2c34d44c7b5da9784bb63f32e2b8268e95c9a9db96008
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B8315775B01210AFCB45DF38D88496EBBB6EF89340B148568E806CB351DB31EE42CB90
                                                                                                                                                                                                                            Function 0BA4B510 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 93392ed963a52bb4b702b99363a28fc9c24e1834958e9e5338844cc5fc7653c8
                                                                                                                                                                                                                            • Instruction ID: c68eee9e73a834477294adb582a13d7e82824ad44e68ccadf7b73a061d94027e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 93392ed963a52bb4b702b99363a28fc9c24e1834958e9e5338844cc5fc7653c8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 51217675B002118FCB14DF39D88096EBBF6BFC965072485A9D90AEB365DB31DC02CBA1
                                                                                                                                                                                                                            Function 012FE1FC Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003031991.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12fd000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d97cbfa284175cc5fa489549ebd0023a9d9b5b4dccd7c09f62bf35e78ac6ce27
                                                                                                                                                                                                                            • Instruction ID: f8a57120074f7a34338f88ee71e51ceab087db5c4f0b6975e6c1644178a1508a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d97cbfa284175cc5fa489549ebd0023a9d9b5b4dccd7c09f62bf35e78ac6ce27
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9431A276114240EFDF079F58C9C0F16BF66FB48314F2585ACEB094A266D336D456CB51
                                                                                                                                                                                                                            Function 012FECD0 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003031991.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12fd000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 948cde20c13ff639c6c8b3514da51abc2c5df2ca39b973a53dec4362c0a7a85a
                                                                                                                                                                                                                            • Instruction ID: 9d51de200c63f88d9b7d19d15ea72a0ce85ebe2f512241b8677715926378dde3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 948cde20c13ff639c6c8b3514da51abc2c5df2ca39b973a53dec4362c0a7a85a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B431C372114240EFDF079F58D9C0F16BF6AFB88320F2685ACEE090A66AC336D455CB61
                                                                                                                                                                                                                            Function 012FEBD4 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003031991.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12fd000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: cc9039cf56dc6cd4c02f2b4cc20fed0c65c4c076127159d3702e9cffb246f970
                                                                                                                                                                                                                            • Instruction ID: 80b01f2cc4b2adbc5c8b98932c4695519e2d0475e8f5ce1c129a08ebfe7f51aa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cc9039cf56dc6cd4c02f2b4cc20fed0c65c4c076127159d3702e9cffb246f970
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0721B4B2514240EFCF078F58D9C0B16FF65FB88314F2685ADEA094A26AC376D416CBA1
                                                                                                                                                                                                                            Function 012ED6B0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4002800367.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12ed000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 238f94d92541cd9c7933b568b01dbe5f0c268cae27c9ffc94872de4a341f9c6e
                                                                                                                                                                                                                            • Instruction ID: 0be204aadf1cc02906615ada906764370305a7b4354c61df43228a5755c05baa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 238f94d92541cd9c7933b568b01dbe5f0c268cae27c9ffc94872de4a341f9c6e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 59216876150288DFCB0ADF84D9C4B16BFE1FB88324F608558EA080B246C336D411CB61
                                                                                                                                                                                                                            Function 0BA46308 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e3047130bc23bf139405de87f1dc9895c152f16813ef7d92e4ac417d72e2dedc
                                                                                                                                                                                                                            • Instruction ID: 33ce9b8c144cd5bff6758bbae1594cc6ca245b9d2a40ddd5bc8e1cf78e9be8ed
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e3047130bc23bf139405de87f1dc9895c152f16813ef7d92e4ac417d72e2dedc
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1214931B002159FCB15EF68D5848AEBBF6FFC920171540AAD905DB361DB31ED16CB91
                                                                                                                                                                                                                            Function 012ED524 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4002800367.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12ed000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 14d8d72bbbe965928b5662a023be70c86592cca46529859f3a9499a2d9a3efb6
                                                                                                                                                                                                                            • Instruction ID: 3565d1fe20f4bd64a412ab0d6fc32a68d9040f2255699bd1bcd0f155819635f6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 14d8d72bbbe965928b5662a023be70c86592cca46529859f3a9499a2d9a3efb6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CE216AB1514208DFCB12DF58E9C4B26BFA5FB88328F60C56DE9090B246C336D406CBA1
                                                                                                                                                                                                                            Function 0BA4CCC8 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: e7242d4d5b3d9abc3a5aac6f4de6256fcdb088759803cad8e3fe5df60ad6f9d1
                                                                                                                                                                                                                            • Instruction ID: 897681a375139dfca4e12c32afb4da086fef6695c1e2f14b9b61f323d5a5c280
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e7242d4d5b3d9abc3a5aac6f4de6256fcdb088759803cad8e3fe5df60ad6f9d1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 34219034A01614CFDF24CF29C984A6ABBB0FFC8320F1580A8D8099B365E730ED41CB60
                                                                                                                                                                                                                            Function 012FD320 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003031991.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12fd000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: fd3940bcfa4af4ab14e3a91bae56b368769fcb3b52eb683d1a0e9d3cb0d8bdc2
                                                                                                                                                                                                                            • Instruction ID: 2bd8a4c2a6ae169e66ddfc515e1f65ce8aefd00965bcc98dae902bd7792e8ba4
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd3940bcfa4af4ab14e3a91bae56b368769fcb3b52eb683d1a0e9d3cb0d8bdc2
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C82100B5614208DFCB05DF98D980B26FBA5EB84314F20C97DEB0A4B246C37AD846CB61
                                                                                                                                                                                                                            Function 012FD01C Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003031991.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12fd000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 5accc65b23699d133346d5bc06e54cf46386f154489552b99987969f514f9156
                                                                                                                                                                                                                            • Instruction ID: 4f3f5a4e7392a92df3b7cb49b0e969426ec343402932512b7de345c6154dd432
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5accc65b23699d133346d5bc06e54cf46386f154489552b99987969f514f9156
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC212275614208DFDB15DF68D980B26FB65EB88324F20C97DEA0A4B246C37BD807CA61
                                                                                                                                                                                                                            Function 0BA4E9F8 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d0db9c5c115106a2d89a3cbab3e972bcb23730e33c7fcda0cc39d4ed50c3df02
                                                                                                                                                                                                                            • Instruction ID: 7b51cb6cf9e4b61ba6ebbe6518c208d60adeac70c3fc74cab0392ef4d29e16d0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d0db9c5c115106a2d89a3cbab3e972bcb23730e33c7fcda0cc39d4ed50c3df02
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E1191323082109BDB185F3AB448A6DB7EBFBC0666314407AE009C7351CF71D946C790
                                                                                                                                                                                                                            Function 0BA4DD28 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 119b608e21003907fb6e888c0c09ff8740f038e80efa0b8d42ed0139495a4ca6
                                                                                                                                                                                                                            • Instruction ID: f31dad84786c13022991ac0d6286bd33da7f14a1f09d0a316c6eda1fb3e45ecf
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 119b608e21003907fb6e888c0c09ff8740f038e80efa0b8d42ed0139495a4ca6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7621AC316013409FD7259F34D494F1A7BF6EF95324B1584AAE4868B3A2CB71EE86CB90
                                                                                                                                                                                                                            Function 0BA4BFC8 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 77e0784407d15fcb0183aeafa456149513212fbbd0ae042634a68c7230901bf3
                                                                                                                                                                                                                            • Instruction ID: fc43e993d664e3d3d5f7c2066a813db6776595851febe9bd5f01aed8bc15eb2c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77e0784407d15fcb0183aeafa456149513212fbbd0ae042634a68c7230901bf3
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AB118F72B052105FD726CA689C51B6BB7E6EBC8660F14417AE909DB395EE70DC0287E0
                                                                                                                                                                                                                            Function 0BA4EB48 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 1eaddb10f1486d9146490d669e8c088d4b2fbb98ce57ea7c0b769e3465b1df8e
                                                                                                                                                                                                                            • Instruction ID: f83431cc2a7cb311a7db4394fdd5ba69dc5ff32b7e63f7a8fefe120237a81de6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1eaddb10f1486d9146490d669e8c088d4b2fbb98ce57ea7c0b769e3465b1df8e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4011D0317083409FEB298F6AE480A13BBE6FFC5224B1489BAD54A87713C771EC82C750
                                                                                                                                                                                                                            Function 012FECCB Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003031991.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12fd000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 81bc481eaee44fe26e2c3f7c32ec89ccb704547cbd072a47f23f635c24031534
                                                                                                                                                                                                                            • Instruction ID: 2c81e98489149999f9d5eb0ffd466b3b6207662c2be35331cf62c22a339627c0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 81bc481eaee44fe26e2c3f7c32ec89ccb704547cbd072a47f23f635c24031534
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F321A176400240DFDF078F48D9C4B55BF72FF48310F2581A9EE090A66AC336D466DB51
                                                                                                                                                                                                                            Function 0BA4EBF0 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 00789fdd8077d2e10f4fab3a162d06183c545f926def42163f7a21711bfb9883
                                                                                                                                                                                                                            • Instruction ID: 3d5ee7b867b105898167623a5fbce51c0ffc3b5d9ac161f114e8f1417da2c646
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 00789fdd8077d2e10f4fab3a162d06183c545f926def42163f7a21711bfb9883
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D611A570308311A7EB281A6E584437B6ADBFBC4750F148437A519C7384DF66CD42C2E1
                                                                                                                                                                                                                            Function 012FD006 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003031991.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12fd000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 132f171f61138ad712d7a619ed6f42fb7eabf739cf58823bf71ae1f3d4158604
                                                                                                                                                                                                                            • Instruction ID: 9928fb48f71156b3559609ec591d0692371e5ccf9f14d975bf40022b233db846
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 132f171f61138ad712d7a619ed6f42fb7eabf739cf58823bf71ae1f3d4158604
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63217C755093848FDB03CF24D994715BF71EB46314F28C5EED9498B2A7C33A980ACB62
                                                                                                                                                                                                                            Function 012FE1FB Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003031991.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12fd000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 15aab3c26004f4562f17e5c437c4ea7468c271c64161690821f2acf0f8d2450c
                                                                                                                                                                                                                            • Instruction ID: 01b692aac3cd59a6c41db6c45ea932b22740dc29b6d6aac61b34531bc91241c2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 15aab3c26004f4562f17e5c437c4ea7468c271c64161690821f2acf0f8d2450c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F216A7A500240EFDF06CF94C9C0B15BF62FB48324F2586ADEE090A26AC336D466DB51
                                                                                                                                                                                                                            Function 012FEBCF Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003031991.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12fd000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: cd7db30da2bfdb9f1a9febcffb4be3f4d9242a8a5b28b617cf9223581590f01a
                                                                                                                                                                                                                            • Instruction ID: 21b02d380015481b3f457fe412cb46b43159bb35cfa5aef47fe60158fd0321e1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cd7db30da2bfdb9f1a9febcffb4be3f4d9242a8a5b28b617cf9223581590f01a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2218E76404240DFCF07CF54D9C4B56BF72FB88314F2586A9EE090A26AC336D426DB91
                                                                                                                                                                                                                            Function 012ED6AB Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4002800367.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12ed000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
                                                                                                                                                                                                                            • Instruction ID: 3e1c4176c4970ce328bccd18fb576bbd57c375aaf28e52c6e33f99628b65a26b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f3b49ebb3647464524db950c25b84bc30cf7f483e8b35816b047356ddc5e1881
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3621DF76444284DFCF0ACF54D9C4B16BFB2FB88314F24C6A9DA480B256C33AD426CB92
                                                                                                                                                                                                                            Function 0BA463D8 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ab07746da200b2c80c1b212699b4a0545894c78cfc891929646a5a2b00c0a14e
                                                                                                                                                                                                                            • Instruction ID: b2b134f3e6a432813d2e058a2d06ffc8d8dc933e6ed95bb00009ae4916693af7
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ab07746da200b2c80c1b212699b4a0545894c78cfc891929646a5a2b00c0a14e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4911C2313043008FDB21CB6CD805F667BF9DF82360F548AAAE255CF6A2D7B1E8468751
                                                                                                                                                                                                                            Function 0BA4E270 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: f791e23db275879314f9f94b449447f6aa3810815044e8f5cbdb4f3094dfe349
                                                                                                                                                                                                                            • Instruction ID: 9aa9093225baeb573441ff6ec821755d7d1215be992414087793a88783c79399
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f791e23db275879314f9f94b449447f6aa3810815044e8f5cbdb4f3094dfe349
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD11C8323043146FD714DFA8D844EAB7BE9FB88310F14492AF545CB341EB71D90587A0
                                                                                                                                                                                                                            Function 0BA47EC8 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 17322a8b54b7925236e09738bbfe4ab046db35d450e49cbd8bb87ff854dfaf07
                                                                                                                                                                                                                            • Instruction ID: c4547b5ad4885a2ab872b01774f6b16b4e6ec6a07a9f585913db62dcd405511c
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 17322a8b54b7925236e09738bbfe4ab046db35d450e49cbd8bb87ff854dfaf07
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC112B35B001189FCB44EF69E8449AEBBB6FFC9361B50C126E805D7354DB34AE06CB91
                                                                                                                                                                                                                            Function 0BA494C8 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 83ddc6e4b2eb4c612276c4fd353a62d43914fd568d822f5819116b3600737426
                                                                                                                                                                                                                            • Instruction ID: 1bcf31d6f9df3a2c21cf448e1960a93e0a9c7aad3cb1733456aa541d37647f94
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83ddc6e4b2eb4c612276c4fd353a62d43914fd568d822f5819116b3600737426
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E119130B142149FCB55DF68D858B6BBBF6FBC8650F204529D506D7346DB30ED0987A2
                                                                                                                                                                                                                            Function 012ED51F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4002800367.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12ed000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                                                                                                                                                                                            • Instruction ID: 87d0184fbfead31332402880fc2fc013cdb0ed4c9c8b2960eb69e5afc1e93acd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9A110376404284CFCB12CF54D9C4B16BFB1FB84324F24C5A9D9090B657C33AD45ACBA1
                                                                                                                                                                                                                            Function 0BA4E23F Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 5b3094e72ba48aa5dd4a44c05aa61b729e38049cb7473cc6adf77feae3604eb5
                                                                                                                                                                                                                            • Instruction ID: c4128686f9e1cd6c1801eeafa5da4b9e80cba2ea01a2ee1c8d67c94fcb931948
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5b3094e72ba48aa5dd4a44c05aa61b729e38049cb7473cc6adf77feae3604eb5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3211C232704300AFDB15CF68D844EBA7BE9FB88350F14491AF145CB241EB71DA028B90
                                                                                                                                                                                                                            Function 0BA47EB8 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 42751788bb7d78bf8dafa7a82a98d7fa3629dade81ae43b8ad2fd5445008932f
                                                                                                                                                                                                                            • Instruction ID: af6192f5460a9a77de2c625479b6f760ef32ef49883e15d80c66eaa8925e7dbd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 42751788bb7d78bf8dafa7a82a98d7fa3629dade81ae43b8ad2fd5445008932f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BF1154346001159FCB44DF68D8989EEBBB2FF85311B108169D806D7354CB74AE0ACB51
                                                                                                                                                                                                                            Function 012FD31B Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4003031991.00000000012FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012FD000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12fd000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                                                                                                                                                                                            • Instruction ID: ea7aa59640535813fbd8c884cc3d3b51a4b1a407dc3adb8db4147018bc62ee6a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7A11A976504288CFDB06CF58D5C4B19FBA1FB84314F24C6AEEA494B696C33AD44ACF61
                                                                                                                                                                                                                            Function 0BA46E72 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 3dad9802116ce2580fe01cd27a618b2450c9a4cd3b584c4c8b82d1b818df7fb4
                                                                                                                                                                                                                            • Instruction ID: 04942007595ee894a4abe2ca6962a8d3220cddf6d9549d8fe010c065e996ebb2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3dad9802116ce2580fe01cd27a618b2450c9a4cd3b584c4c8b82d1b818df7fb4
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 41017C722091D46FCB128E6A5864CFB3FE89E8E15570900DBFE95C7192C428C925DB70
                                                                                                                                                                                                                            Function 0BA46CE0 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 4c3bb1d5b8ef4c35afc3f6a0321e5674d48c465a18983242ec68de8ede37d71a
                                                                                                                                                                                                                            • Instruction ID: 0c73f07ba32241398ba77046383f617e463ff3c90927b4b7a805ded46c04bbf5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4c3bb1d5b8ef4c35afc3f6a0321e5674d48c465a18983242ec68de8ede37d71a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD118B71A0091ADBCF10DF49D840AEAFBBAFF85324F5886A6C52997650D730F861CBD0
                                                                                                                                                                                                                            Function 0BA47D58 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ee44cbc147a8701f7dad86556a4827b8f22aa7fcee7bf4234a3657b91e04a9d0
                                                                                                                                                                                                                            • Instruction ID: 944a33065754a12cdbc32ce06c27f19ce128b298d53807d899f77bdc85a6d8e2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ee44cbc147a8701f7dad86556a4827b8f22aa7fcee7bf4234a3657b91e04a9d0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8F03132704214AF5F54DE6AE8449BFBBEEFBC8261714813AF509C7240EB31DD169BA0
                                                                                                                                                                                                                            Function 0BA4E300 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: faeefad864eaad673706ed7d50de93373a0b0a2f4766a2020d6d10fe2f4f262e
                                                                                                                                                                                                                            • Instruction ID: 1de4ff62c72e7c3f38358cc86611c1dca1d5288015c6802bcfd9b9abdccdba86
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: faeefad864eaad673706ed7d50de93373a0b0a2f4766a2020d6d10fe2f4f262e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8A016171200A058FC726DF29E884D8BBBF6EF84340B008A29E44A87726DB70AD45CB90
                                                                                                                                                                                                                            Function 012EDACD Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4002800367.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12ed000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 8f0c5673da1e9590a61e3ec9433302c3150307bb57db765afbfeaf6e5e2e7573
                                                                                                                                                                                                                            • Instruction ID: b4bed0404ca9fdc46bacfcf30b18272c0a6cc517e0f3f32b2a2ebdcd2ccdebed
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f0c5673da1e9590a61e3ec9433302c3150307bb57db765afbfeaf6e5e2e7573
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D012B711283089BEB118B5ACDC8767BFDCEF41330F98C45DEE490A287E2B59840CA71
                                                                                                                                                                                                                            Function 012ED813 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4002800367.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12ed000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 09dd431afd33b0a7a819fb547246d662362baec17cb2a60d8b3123084f13753c
                                                                                                                                                                                                                            • Instruction ID: 33153a2b700fe436b58a02198010881921b1947826f0dd52c0e8643fac9edfcd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09dd431afd33b0a7a819fb547246d662362baec17cb2a60d8b3123084f13753c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A010876100A04AFD7219F46D944C23FBFAFB88720349845DE94A4BA22C272F811DFA0
                                                                                                                                                                                                                            Function 0BA48EA3 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 374b6d144d8ea52e245934cfab59432f3be3167dc947df5f844818777ccf277c
                                                                                                                                                                                                                            • Instruction ID: 8d19f2c8aeef1898993d548de3b780bdb2a96b4f25f5b8f1d49923c7c0520a19
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 374b6d144d8ea52e245934cfab59432f3be3167dc947df5f844818777ccf277c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39110975E01219AFDF14DFA5D944AEEBBF2AF88300F148069E815B6250CB315A04DF60
                                                                                                                                                                                                                            Function 0BA48EA8 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ff107be9ec4c662966ffe075878caad753df14a6c9aab8e18e2a094ea7e90408
                                                                                                                                                                                                                            • Instruction ID: 06e9ca598c644ea6aeeb61d966aa6e9ca0e58798869e4ef65e29c8c820785969
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff107be9ec4c662966ffe075878caad753df14a6c9aab8e18e2a094ea7e90408
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 47010575E01218ABDF04DFA5D944AEEBBF2AF88310F148029E815B6250CB319A04CBA0
                                                                                                                                                                                                                            Function 0BA45508 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 34b3b241829db138b4be87e862fb32a5f85b1336261827348ccfe6ed73100618
                                                                                                                                                                                                                            • Instruction ID: aba1f9ba0f038ee4777146824bb4bbf82d69da742e9101b6f9b17db8eb16e067
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34b3b241829db138b4be87e862fb32a5f85b1336261827348ccfe6ed73100618
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78018C34A01702DFCF299B39E40463BB7F7FFD4605B58882DE50686604EB72E581CB92
                                                                                                                                                                                                                            Function 012ED804 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4002800367.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12ed000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: cf78ebf1e67392e563569423ac8251aaa9bad67d35f4e666dfefdb883c0d054a
                                                                                                                                                                                                                            • Instruction ID: dc23375ce13fd902e89275d49e8aa1785190a1aeb00074036d2d1ccc0239f566
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cf78ebf1e67392e563569423ac8251aaa9bad67d35f4e666dfefdb883c0d054a
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A6010C76100640AFD7228F55C945C23BFFAFF89720759848DE98A4BA22C272F812DF60
                                                                                                                                                                                                                            Function 0BA4CE88 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 180d533fcbc9281147b7bc70261c2858f41dc7b2c49468858509ed9bca526ff5
                                                                                                                                                                                                                            • Instruction ID: c6d0a310bf37456b83f00b9cb1e99aee1a73634142af14db326ab8c80eeff169
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 180d533fcbc9281147b7bc70261c2858f41dc7b2c49468858509ed9bca526ff5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6AF04F357105008FDB48DB3ED894869B7E6AFC976071590B9E506C7375EF70DC029A50
                                                                                                                                                                                                                            Function 0BA47D48 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: fd92d77b277ffb568364971519572ce80da252b2afaad2efc9eb5adbac5fb943
                                                                                                                                                                                                                            • Instruction ID: 7513ccaecfa9ac1bb651605442cd8fec117119bba771394a84e54374f1c26717
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd92d77b277ffb568364971519572ce80da252b2afaad2efc9eb5adbac5fb943
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3F0BE32708155AF9B11CF6AEC809FFBBF9EBC5350315446AE408D7101E770990BCB90
                                                                                                                                                                                                                            Function 012ED64F Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4002800367.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12ed000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: b8c552c8b4a76698633cfdd7cbf6f4e37cc99c50a9c2ce5ec702feec85aea4ef
                                                                                                                                                                                                                            • Instruction ID: 839746ee39af49e97cd5e3484d0a26caea71f389bcfdf0bf26c2f5ee2c5bf0d2
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b8c552c8b4a76698633cfdd7cbf6f4e37cc99c50a9c2ce5ec702feec85aea4ef
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15F0F9B6610604AF9725CF0AD885C23FBEDEBC4670759C55AE94A4B712C671FC41CEA0
                                                                                                                                                                                                                            Function 0BA4CE98 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 834949ccb438f28e95f9bc6ee3f1fb1036aefe8e180b8e960100ef97591dbcca
                                                                                                                                                                                                                            • Instruction ID: 56a59e5292896e19d7c065475d69caba4d284419332038ba96663914bf4bb0fd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 834949ccb438f28e95f9bc6ee3f1fb1036aefe8e180b8e960100ef97591dbcca
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15F05E357106104FCB48DB3ED44486977EAEFCD66132590B9E606CB371EFB0DC029650
                                                                                                                                                                                                                            Function 012EDACC Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4002800367.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12ed000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 736570aa0eab7c5e2431772e0fd436604ee6460381c6cee2148239193e2a4477
                                                                                                                                                                                                                            • Instruction ID: 6a6fc1b8e849071564d4561b8dbfeb628d513f1d3bf0950f21f51e36b0fd9a11
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 736570aa0eab7c5e2431772e0fd436604ee6460381c6cee2148239193e2a4477
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0FF0C8720043449BEB118A09CDC8762FFDCEB41234F58C55EFD080A287D2745844CA70
                                                                                                                                                                                                                            Function 0BA463C7 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 92d5e3180f1775e16b77390537bf010e39c92ebb225405b83bb38261c04d2dd9
                                                                                                                                                                                                                            • Instruction ID: 1aedec7762f736879afc28f6b2fc99d8d0c1235d38efa2b06394b1937396f6bc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 92d5e3180f1775e16b77390537bf010e39c92ebb225405b83bb38261c04d2dd9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 45F0CD317002019FCB21CB689945F967BA5DF86720F158AAAE6148B2E2D3B1E84A9740
                                                                                                                                                                                                                            Function 0BA46EA0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 669019aed71ebb7da7832d8b620357eafe5d175b709ae53266b7ed3f1b5bc7a9
                                                                                                                                                                                                                            • Instruction ID: 4d541ccb6a47285bbeafd623c61b42fd26d9e6665f16e95056651886d5389957
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 669019aed71ebb7da7832d8b620357eafe5d175b709ae53266b7ed3f1b5bc7a9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1AF037722041E83F8B519E9B5C14CFB7FEDDA8E1A67094066FED8D2141C439CA219BB0
                                                                                                                                                                                                                            Function 012ED640 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4002800367.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_12ed000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 99a4a96af8e6d31bc9c3860c848337c4e3f34e6af2b8dfd1954ea0ed066d2e9c
                                                                                                                                                                                                                            • Instruction ID: 4a0d0d089e13f587991ca42430cbd7483dbb1b3e49ffbbd798a4e5028f4302bc
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 99a4a96af8e6d31bc9c3860c848337c4e3f34e6af2b8dfd1954ea0ed066d2e9c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 49F0E775114784AFD726CF46C985C23BBF9EF896607198489E84A8B362C671FC42CFA0
                                                                                                                                                                                                                            Function 0BA454F8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: c147e9ed6f18673b79a30df3858778438e46397a272dbf757f3190527291423b
                                                                                                                                                                                                                            • Instruction ID: a29ae30afcfed5c6d31d8414569a67899600c421e6883f8a0fd8e490ead84e96
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c147e9ed6f18673b79a30df3858778438e46397a272dbf757f3190527291423b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6F06730E00702DFCB24CF21E484ABBB7F6FF94204B18886DE40646A14C7B1E582CB50
                                                                                                                                                                                                                            Function 0BA4EB39 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 091df481a6aedf00156b8fc6613f1754e845ce1d95f42c221467e535ac48507f
                                                                                                                                                                                                                            • Instruction ID: 6d270c2500e91a102b66acb79d068f59e45c06fbf7673c712cc1d9cc4371636a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 091df481a6aedf00156b8fc6613f1754e845ce1d95f42c221467e535ac48507f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AEF0BE316083806FD7268F3AE844852BFF6EBC236035482A9E549C7252D720DD02C761
                                                                                                                                                                                                                            Function 0BA4CE3F Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 8837de77ad7bf7ddf78b13ce0e061017f65858cc94629387d53698394bc8b545
                                                                                                                                                                                                                            • Instruction ID: 80c6ab2f32538f8929a1293db118f7892354b75de6d49be61625b678d5ca9d99
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8837de77ad7bf7ddf78b13ce0e061017f65858cc94629387d53698394bc8b545
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 82F08C36A002229FD718CF69E884D9AF7E9FF8476071482BEE80887200D731E843CB90
                                                                                                                                                                                                                            Function 0BA4CE50 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 2636529a13c2b79310ecf0110e38c5598fcc9df15ab1ab850657a055fba9ffba
                                                                                                                                                                                                                            • Instruction ID: 70cad681e5e71a32b558931a7b1c2de211b7a3e57e7f015e7b2b3b6f18a984aa
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2636529a13c2b79310ecf0110e38c5598fcc9df15ab1ab850657a055fba9ffba
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D5E09A32605625AF8714CB59E980817FBEDFB88770300812AE808C7300D732EC12CBE0
                                                                                                                                                                                                                            Function 0BA4ED68 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 66b608d88c9f84681a62056139b04903313cc42dbc7fd9adf9e1815533264f3f
                                                                                                                                                                                                                            • Instruction ID: 4982686f802e0d732fb47b0d037e773ff79e60f6b3aa62e61cb5c1b9c792bbf0
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 66b608d88c9f84681a62056139b04903313cc42dbc7fd9adf9e1815533264f3f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4EE04F363001145BC7149A4EE404D9ABBEEEBD87717048037F60DC7360CA71DD52C6E4
                                                                                                                                                                                                                            Function 0BA45DC0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 211fae368072d1a43c8da250f6fd61b334ba6ba2d4a9d62dbe28f0f4d493bbc8
                                                                                                                                                                                                                            • Instruction ID: fcdad112fd9607725d0670ae9c4e6715ebac3695534da2cbb2465527322ae62b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 211fae368072d1a43c8da250f6fd61b334ba6ba2d4a9d62dbe28f0f4d493bbc8
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6BE0DF322046428FDB21CBB9D8818997BF2DFC532030589AEE8598B062CF70A842CB90
                                                                                                                                                                                                                            Function 0BA45DD0 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000021.00000002.4045262178.000000000BA40000.00000040.00000800.00020000.00000000.sdmp, Offset: 0BA40000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_33_2_ba40000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 962b14bdee65d69ed2a5ce4c1695ea609a2e7515b5d69e072ebc80ce39fdab96
                                                                                                                                                                                                                            • Instruction ID: 189f4416a2905b60fb0e7f56f07c5f4932b226710dda39d9b3c83c0d62f8c2a3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 962b14bdee65d69ed2a5ce4c1695ea609a2e7515b5d69e072ebc80ce39fdab96
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6D05E7220061647CA15D76EE84049677D9DFC42203418929A81A87512DF60E84187C0

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 0455A520 Relevance: .3, Instructions: 281COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2688271920.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_4550000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 8fd9b7cd77efefb7b6c4fc8666c59575a1c5b5d5202fc7e5ee3f85acd8097791
                                                                                                                                                                                                                            • Instruction ID: 0fdd881a91b809a02378d59fa64b90a4a8c0f4f8e3392cc300f1939babcfe8d5
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8fd9b7cd77efefb7b6c4fc8666c59575a1c5b5d5202fc7e5ee3f85acd8097791
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92B16270E00209DFDF10CFA9D8957ADBBF2BF88314F14862AD815A7264EB74AC46DB41
                                                                                                                                                                                                                            Function 0455ADF0 Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2688271920.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_4550000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 80ae03f72c0014f3ec55fb890495d6dc6c8709d1c42bd33a4b154a8437847532
                                                                                                                                                                                                                            • Instruction ID: acc5dc464dd832c5a198a629e5e70454f995b1e148fe7eedfcce71517cfcf6bb
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 80ae03f72c0014f3ec55fb890495d6dc6c8709d1c42bd33a4b154a8437847532
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9DB15470E00209DFDF10CFA9D8957ADBBF2BF48314F14862AE815E7264EB74A845DB81
                                                                                                                                                                                                                            Function 04556A28 Relevance: 4.3, Strings: 3, Instructions: 518COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2688271920.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_4550000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID: Hgq$$cq$$cq
                                                                                                                                                                                                                            • API String ID: 0-2948965698
                                                                                                                                                                                                                            • Opcode ID: 1857758a8230717ad0a338103d53abe83d07d88bc720c47afe90ad98085c3136
                                                                                                                                                                                                                            • Instruction ID: c43a2ad100074723a4e012f630ff5bc41a924799b25528312d2c2bcae9a8d3d9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1857758a8230717ad0a338103d53abe83d07d88bc720c47afe90ad98085c3136
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ED225234B001688FCB25DB24D8546AEBBF6BF89304F1445A9D809AB3A1DF35AD85DF81
                                                                                                                                                                                                                            Function 0455A516 Relevance: .3, Instructions: 276COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2688271920.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_4550000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 6375688f2a9425bf4dcd44fb5dbc7d1a8565d5150af4942311454b8cb41ea69c
                                                                                                                                                                                                                            • Instruction ID: 244e41ffdacf5e283cfce581d22f40321faed8989868cde8927dff66d8997e24
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6375688f2a9425bf4dcd44fb5dbc7d1a8565d5150af4942311454b8cb41ea69c
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24B14E70E00209DFDF10CFA9D895BADBBF1BF48314F14862AD815A7264EB74AC46DB91
                                                                                                                                                                                                                            Function 0455ADE4 Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2688271920.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_4550000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d68497b330ffed7fbe688327ebf1ba2f7d205b3390f54e4fdb691c34d17639d0
                                                                                                                                                                                                                            • Instruction ID: 31612e392ed003a99b09df2e570ac0de1a1c90f10fb4e60597906c8368561b3b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d68497b330ffed7fbe688327ebf1ba2f7d205b3390f54e4fdb691c34d17639d0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5AB14E70E00209DFDF10CFA9D9957ADBBF1BF48314F14862AE815E7264EB74A845DB81
                                                                                                                                                                                                                            Function 045529F0 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2688271920.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_4550000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ae1d92c99861303cdbf0ef0b733b39b4a3d4fa0f25b846df64e635a8d2bb5214
                                                                                                                                                                                                                            • Instruction ID: d82cd8767cf2e8d8b2f62ad5109edffb83dcf662ac8438d2dacc3c846355bd7b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae1d92c99861303cdbf0ef0b733b39b4a3d4fa0f25b846df64e635a8d2bb5214
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA914974A006059FCB15CF58C4949BEBBB1FF88310B24869AE855AB3A5C735FC51DFA0
                                                                                                                                                                                                                            Function 0455AB68 Relevance: .2, Instructions: 180COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2688271920.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_4550000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: d26dae28f63afb7f70c7a8125e98b8c37723679a0a24b03559ba902d3857a925
                                                                                                                                                                                                                            • Instruction ID: 23ded9bdb0621caa47c6b366e8245804003e0808a2cb69cb66933b9d0151a8c8
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d26dae28f63afb7f70c7a8125e98b8c37723679a0a24b03559ba902d3857a925
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 81716271E002099FDF14DFA9D8557EDBBF2BF88314F14812AE815A7264EB74A842DF81
                                                                                                                                                                                                                            Function 0455AB5C Relevance: .2, Instructions: 179COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2688271920.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_4550000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: b3793d565b922fffc58912185222aa5c64e9f20509f34ff960ce26629574ce15
                                                                                                                                                                                                                            • Instruction ID: 4099c08ffdad409871e386739ee30eddcff5b90492aa5edf6d04edb668e93fd1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b3793d565b922fffc58912185222aa5c64e9f20509f34ff960ce26629574ce15
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 88716071E002099FDF14DFA8D8957EDBBF1BF88314F14812AE815A7264EB74A842DF91
                                                                                                                                                                                                                            Function 04552B00 Relevance: .1, Instructions: 109COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2688271920.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_4550000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 1719af1a0465e2b5b6436def7643a6a41159ad2c4bd46bd6e365577d34959a4e
                                                                                                                                                                                                                            • Instruction ID: 22df40f260ee3630d7027ab80b98315357d0e9cacea2611a6b18fbff55a9c508
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1719af1a0465e2b5b6436def7643a6a41159ad2c4bd46bd6e365577d34959a4e
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8D4115B4A005059FCB05CF58C4A89BAFBB1FF48310B25859AE855AB365C736FC91DFA0
                                                                                                                                                                                                                            Function 045576E0 Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2688271920.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_4550000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: cea0c82cefd670a9bf6338d9afef30c88d7846ca6f9f7e27e1cf0fd555c644a0
                                                                                                                                                                                                                            • Instruction ID: a1dd8d4941557cc9ba6dc5e004ec1b651b386744e38edc05e88f8595a492f4c9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cea0c82cefd670a9bf6338d9afef30c88d7846ca6f9f7e27e1cf0fd555c644a0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3C311034B011288FCB25DB64D8506EEB7F2BF89305F1045EAD909AB361CB31AE81DF91
                                                                                                                                                                                                                            Function 0455A80B Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2688271920.0000000004550000.00000040.00000800.00020000.00000000.sdmp, Offset: 04550000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_4550000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: ab0eb61b25579aa077964b45b2e60e7807d48dd5beb32c054ca83d8c16834eb5
                                                                                                                                                                                                                            • Instruction ID: e348eb5967f679de4c4045a0849aa0d8200c4c83ae60a2785321166b9f723e3d
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ab0eb61b25579aa077964b45b2e60e7807d48dd5beb32c054ca83d8c16834eb5
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 91119370D00549EBEF259A94E9A87BCB772BB4531DF14162BC801B61A0EA746C8BDB12
                                                                                                                                                                                                                            Function 02C5D005 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2687866014.0000000002C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C5D000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_2c5d000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: 926590de98d740c2fdf76318d73bbe068176d7eb477ef8110b5dfa2ed57cf474
                                                                                                                                                                                                                            • Instruction ID: d3adc4870f4429685010e0a160d73205eb7f30272cd94082fe9c8444e13200da
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 926590de98d740c2fdf76318d73bbe068176d7eb477ef8110b5dfa2ed57cf474
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB01406200E3C05FD7128B258994752BFB8DF93224F1981DBDC888F1A7C6699885C7B2
                                                                                                                                                                                                                            Function 02C5D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 00000024.00000002.2687866014.0000000002C5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02C5D000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_36_2_2c5d000_powershell.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                            • Opcode ID: b2b8d609ee40603619b6a0e9fb1d67ba295a065493771dbde104ea8cd341f673
                                                                                                                                                                                                                            • Instruction ID: 3d51e52967e8eea39391575e6316c0b0c397d46bb19c29df7d653ad8c7da0df3
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b2b8d609ee40603619b6a0e9fb1d67ba295a065493771dbde104ea8cd341f673
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2401A2724053549AE7218A2ACDC4B67BF98DFC1334F18C41AED4A4B246C779DA82C7F5

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 026068E7 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 384 26068e7-26068f0 385 26068f2-26068fe 384->385 386 260694b-260699b 384->386 388 2606900-2606905 385->388 389 260690c-2606910 385->389 390 26069a3-26069a7 386->390 391 260699d-26069a0 386->391 388->389 392 2606907-260690a 388->392 393 26069a9-26069ac 390->393 394 26069af-26069de OpenSCManagerW 390->394 391->390 392->389 395 2606911-260691f 392->395 393->394 396 26069e0-26069e6 394->396 397 26069e7-2606a04 394->397 400 2606921-2606929 395->400 401 260693f-2606946 395->401 396->397 403 2606935-2606939 400->403 404 260692b-260692e 400->404 404->403 405 2606930-2606933 404->405 405->403 406 260693a-260693d 405->406 406->400 406->401
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 026069D1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002A.00000002.3025097517.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_42_2_2600000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ManagerOpen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1889721586-0
                                                                                                                                                                                                                            • Opcode ID: 50a23ba0f45e9500a1a4ba417fce035cc7e3a8a3ea58003572a5870fd73ac1c9
                                                                                                                                                                                                                            • Instruction ID: 3ac82accd2bbdcde04e849b13952f9f4c657ca7f0cb94afba8e3ebb6f1552d2b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 50a23ba0f45e9500a1a4ba417fce035cc7e3a8a3ea58003572a5870fd73ac1c9
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD31E272D0525A8FDB28CFA9D8807AFFBB8EF89320F14816ED448EB641C7319451DB91
                                                                                                                                                                                                                            Function 02605A60 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 407 2605a60-2605a78 410 2605a29-2605a2b 407->410 411 2605a7a-2605a84 407->411 412 2606958-260699b 410->412 413 2605ae4-2605aef 411->413 414 2605a86-2605ac7 411->414 415 26069a3-26069a7 412->415 416 260699d-26069a0 412->416 413->412 414->413 417 26069a9-26069ac 415->417 418 26069af-26069de OpenSCManagerW 415->418 416->415 417->418 421 26069e0-26069e6 418->421 422 26069e7-2606a04 418->422 421->422
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 026069D1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002A.00000002.3025097517.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_42_2_2600000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ManagerOpen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1889721586-0
                                                                                                                                                                                                                            • Opcode ID: 886899cb97689738bd7640a489aedc6fcdba15aee17e143c1ce3e7477a224f01
                                                                                                                                                                                                                            • Instruction ID: 8ab502eb80b9689389b149f7c48b244f1434931ef0f31f2e1b0d7ab9c314098e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 886899cb97689738bd7640a489aedc6fcdba15aee17e143c1ce3e7477a224f01
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56317CB28147599FDB059FADC8947CBBBB4FF59310F05849AD084AB251D3349508CBA6
                                                                                                                                                                                                                            Function 02605A24 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 428 2605a24-260699b 431 26069a3-26069a7 428->431 432 260699d-26069a0 428->432 433 26069a9-26069ac 431->433 434 26069af-26069de OpenSCManagerW 431->434 432->431 433->434 435 26069e0-26069e6 434->435 436 26069e7-2606a04 434->436 435->436
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • OpenSCManagerW.SECHOST(00000000,00000000,?), ref: 026069D1
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002A.00000002.3025097517.0000000002600000.00000040.00000800.00020000.00000000.sdmp, Offset: 02600000, based on PE: false
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_42_2_2600000_FastestVPN.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ManagerOpen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1889721586-0
                                                                                                                                                                                                                            • Opcode ID: 017bfff59e9660674d07b036d33cfae2a5b94879038d2ba01ab3cb8dbc3ee47b
                                                                                                                                                                                                                            • Instruction ID: 7c0a7f715c2127c8adc650bf56a006a0daae2166e21e65248cdecd368d76cccd
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 017bfff59e9660674d07b036d33cfae2a5b94879038d2ba01ab3cb8dbc3ee47b
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0621F5B6D002099BCB18CF9AC984A9EFBF9FB88310F14852ED519A7640D375A544CBA1

                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                            Function 01036161 Relevance: 289.9, APIs: 114, Strings: 51, Instructions: 1125COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 01036166
                                                                                                                                                                                                                            • #538.MFC42U(010014DC,00000000,?,00000002), ref: 0103617A
                                                                                                                                                                                                                            • #4197.MFC42U(010014DC,00000000,?,00000002), ref: 0103618C
                                                                                                                                                                                                                            • #538.MFC42U(010014DC,010014DC,00000000,?,00000002), ref: 01036195
                                                                                                                                                                                                                            • #540.MFC42U(010014DC,010014DC,00000000,?,00000002), ref: 010361A1
                                                                                                                                                                                                                            • #540.MFC42U(010014DC,010014DC,00000000,?,00000002), ref: 010361AD
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/subdirectories,00000004,010014DC,010014DC,00000000,?,00000002), ref: 010361CC
                                                                                                                                                                                                                              • Part of subcall function 010358C5: wcslen.MSVCRT ref: 010358C9
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+subdirectories,00000004,00000000,00000000,/subdirectories,00000004,010014DC,010014DC,00000000,?,00000002), ref: 010361E9
                                                                                                                                                                                                                              • Part of subcall function 010358C5: wcsncmp.MSVCRT ref: 010358E3
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/service,00000004,?,+subdirectories=,00000004,?,0000001F,0000003D,?,/subdirectories=,00000004,?,0000001F,0000003D,00000000), ref: 0103624E
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+service,00000004,00000000,00000000,/service,00000004,?,+subdirectories=,00000004,?,0000001F,0000003D,?,/subdirectories=,00000004), ref: 0103626B
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+driver,00000004,00000000,00000000,+service,00000004,00000000,00000000,/service,00000004,?,+subdirectories=,00000004,?,0000001F), ref: 01036288
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/driver,00000004,00000000,00000000,+driver,00000004,00000000,00000000,+service,00000004,00000000,00000000,/service,00000004,?), ref: 010362A5
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/file,00000004,00000000,00000000,/driver,00000004,00000000,00000000,+driver,00000004,00000000,00000000,+service,00000004,00000000), ref: 010362C2
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+file,00000004,00000000,00000000,/file,00000004,00000000,00000000,/driver,00000004,00000000,00000000,+driver,00000004,00000000), ref: 010362DF
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/onlyfile,00000004,?,+file=,00000004,?,0000001F,0000003D,?,/file=,00000004,?,0000001F,0000003D,00000000), ref: 01036344
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+onlyfile,00000004,00000000,00000000,/onlyfile,00000004,?,+file=,00000004,?,0000001F,0000003D,?,/file=,00000004), ref: 01036361
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/reparsepoint,00000004,00000000,00000000,+onlyfile,00000004,00000000,00000000,/onlyfile,00000004,?,+file=,00000004,?,0000001F), ref: 0103637E
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+reparsepoint,00000004,00000000,00000000,/reparsepoint,00000004,00000000,00000000,+onlyfile,00000004,00000000,00000000,/onlyfile,00000004,?), ref: 0103639B
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/keyreg,00000004,00000000,00000000,+reparsepoint,00000004,00000000,00000000,/reparsepoint,00000004,00000000,00000000,+onlyfile,00000004,00000000), ref: 010363B8
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+keyreg,00000004,00000000,00000000,/keyreg,00000004,00000000,00000000,+reparsepoint,00000004,00000000,00000000,/reparsepoint,00000004,00000000), ref: 010363D5
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/kernelobject,00000004,00000000,00000000,+keyreg,00000004,00000000,00000000,/keyreg,00000004,00000000,00000000,+reparsepoint,00000004,00000000), ref: 010363F2
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+kernelobject,00000004,00000000,00000000,/kernelobject,00000004,00000000,00000000,+keyreg,00000004,00000000,00000000,/keyreg,00000004,00000000), ref: 0103640F
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/subkeyreg,00000005,00000000,00000000,+kernelobject,00000004,00000000,00000000,/kernelobject,00000004,00000000,00000000,+keyreg,00000004,00000000), ref: 0103642C
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+subkeyreg,00000005,00000000,00000000,/subkeyreg,00000005,00000000,00000000,+kernelobject,00000004,00000000,00000000,/kernelobject,00000004,00000000), ref: 01036449
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/regkey,00000004,00000000,00000000,+subkeyreg,00000005,00000000,00000000,/subkeyreg,00000005,00000000,00000000,+kernelobject,00000004,00000000), ref: 01036466
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+regkey,00000004,00000000,00000000,/regkey,00000004,00000000,00000000,+subkeyreg,00000005,00000000,00000000,/subkeyreg,00000005,00000000), ref: 01036483
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/share,00000004,00000000,00000000,+regkey,00000004,00000000,00000000,/regkey,00000004,00000000,00000000,+subkeyreg,00000005,00000000), ref: 010364A0
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+share,00000004,00000000,00000000,/share,00000004,00000000,00000000,+regkey,00000004,00000000,00000000,/regkey,00000004,00000000), ref: 010364BD
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/printer,00000004,00000000,00000000,+share,00000004,00000000,00000000,/share,00000004,00000000,00000000,+regkey,00000004,00000000), ref: 010364DA
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+printer,00000004,00000000,00000000,/printer,00000004,00000000,00000000,+share,00000004,00000000,00000000,/share,00000004,00000000), ref: 010364F7
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/process,00000004,00000000,00000000,+printer,00000004,00000000,00000000,/printer,00000004,00000000,00000000,+share,00000004,00000000), ref: 01036514
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+process,00000004,00000000,00000000,/process,00000004,00000000,00000000,+printer,00000004,00000000,00000000,/printer,00000004,00000000), ref: 01036531
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/metabase,00000004,00000000,00000000,+process,00000004,00000000,00000000,/process,00000004,00000000,00000000,+printer,00000004,00000000), ref: 0103654E
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+metabase,00000004,00000000,00000000,/metabase,00000004,00000000,00000000,+process,00000004,00000000,00000000,/process,00000004,00000000), ref: 0103656B
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/samobject,00000004,00000000,00000000,+metabase,00000004,00000000,00000000,/metabase,00000004,00000000,00000000,+process,00000004,00000000), ref: 01036588
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+samobject,00000004,00000000,00000000,/samobject,00000004,00000000,00000000,+metabase,00000004,00000000,00000000,/metabase,00000004,00000000), ref: 010365A5
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/clustershare,00000004,00000000,00000000,+samobject,00000004,00000000,00000000,/samobject,00000004,00000000,00000000,+metabase,00000004,00000000), ref: 010365C2
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,+clustershare,00000004,00000000,00000000,/clustershare,00000004,00000000,00000000,+samobject,00000004,00000000,00000000,/samobject,00000004,00000000), ref: 010365DB
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,/playfile,00000004,00000000,00000000,+clustershare,00000004,00000000,00000000,/clustershare,00000004,00000000,00000000,+samobject,00000004,00000000), ref: 010365F4
                                                                                                                                                                                                                            • #4197.MFC42U(?,/file=,00000004,?,0000001F,0000003D,00000000,00000000,+file,00000004,00000000,00000000,/file,00000004,00000000,00000000), ref: 010366BD
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,filesonly,00000001,?,/file=,00000004,?,0000001F,0000003D,00000000,00000000,+file,00000004,00000000,00000000,/file), ref: 010366CF
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,directoriesonly,00000001,00000000,00000000,filesonly,00000001,?,/file=,00000004,?,0000001F,0000003D,00000000,00000000,+file), ref: 010366FA
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000000,/service,00000004,?,+subdirectories=,00000004,?,0000001F,0000003D,?,/subdirectories=,00000004,?,0000001F), ref: 0103673E
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000000,00000000,/service,00000004,?,+subdirectories=,00000004,?,0000001F,0000003D,?,/subdirectories=,00000004,?), ref: 0103674D
                                                                                                                                                                                                                            • #4197.MFC42U(?,/subdirectories=,00000004,?,0000001F,0000003D,00000000,00000000,+subdirectories,00000004,00000000,00000000,/subdirectories,00000004,010014DC,010014DC), ref: 0103676B
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,filesonly,00000001,?,/subdirectories=,00000004,?,0000001F,0000003D,00000000,00000000,+subdirectories,00000004,00000000,00000000,/subdirectories), ref: 0103677D
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,directoriesonly,00000001,00000000,00000000,filesonly,00000001,?,/subdirectories=,00000004,?,0000001F,0000003D,00000000,00000000,+subdirectories), ref: 0103679F
                                                                                                                                                                                                                            • #4273.MFC42U(00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004,010014DC,010014DC,00000000,?,00000002), ref: 010367C7
                                                                                                                                                                                                                            • #800.MFC42U(00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004,010014DC,010014DC,00000000,?,00000002), ref: 010367DD
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004,010014DC,010014DC,00000000,?,00000002), ref: 01036816
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000000,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004,010014DC,010014DC,00000000,?), ref: 01036844
                                                                                                                                                                                                                            • #858.MFC42U(0000001F,00000000,00000000,00000000,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004,010014DC,010014DC,00000000), ref: 0103686D
                                                                                                                                                                                                                            • #861.MFC42U(010014DC,0000001F,00000000,00000000,00000000,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004,010014DC,010014DC), ref: 0103687A
                                                                                                                                                                                                                            • wcscmp.MSVCRT ref: 01036895
                                                                                                                                                                                                                            • #4124.MFC42U(?,00000002,00000000,00000000,00000000,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004,010014DC,010014DC), ref: 010368B2
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,?,00000002,00000000,00000000,00000000,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004,010014DC), ref: 010368BE
                                                                                                                                                                                                                            • #861.MFC42U(-00000004,00000000,?,00000002,00000000,00000000,00000000,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004), ref: 010368CA
                                                                                                                                                                                                                            • #800.MFC42U(-00000004,00000000,?,00000002,00000000,00000000,00000000,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004), ref: 010368D6
                                                                                                                                                                                                                            • #4272.MFC42U(?,00000003,-00000004,00000000,?,00000002,00000000,00000000,00000000,00000000,01003608,00000002,00000000,00000002,00000000,00000000), ref: 010368E4
                                                                                                                                                                                                                            • #858.MFC42U(00000000,?,00000003,-00000004,00000000,?,00000002,00000000,00000000,00000000,00000000,01003608,00000002,00000000,00000002,00000000), ref: 010368F1
                                                                                                                                                                                                                            • #800.MFC42U(00000000,?,00000003,-00000004,00000000,?,00000002,00000000,00000000,00000000,00000000,01003608,00000002,00000000,00000002,00000000), ref: 010368FD
                                                                                                                                                                                                                            • #858.MFC42U(?,00000000,?,00000003,-00000004,00000000,?,00000002,00000000,00000000,00000000,00000000,01003608,00000002,00000000,00000002), ref: 0103693A
                                                                                                                                                                                                                              • Part of subcall function 010359B7: #4124.MFC42U(?,-00000001,00000002,?,?,?,?,01036218,?,/subdirectories=,00000004,?,0000001F,0000003D,00000000,00000000), ref: 010359E9
                                                                                                                                                                                                                              • Part of subcall function 010359B7: #858.MFC42U(00000000,?,-00000001,00000002,?,?,?,?,01036218,?,/subdirectories=,00000004,?,0000001F,0000003D,00000000), ref: 010359F6
                                                                                                                                                                                                                              • Part of subcall function 010359B7: #800.MFC42U(00000000,?,-00000001,00000002,?,?,?,?,01036218,?,/subdirectories=,00000004,?,0000001F,0000003D,00000000), ref: 01035A02
                                                                                                                                                                                                                              • Part of subcall function 010359B7: #4272.MFC42U(00000002,00000001,00000000,?,-00000001,00000002,?,?,?,?,01036218,?,/subdirectories=,00000004,?,0000001F), ref: 01035A10
                                                                                                                                                                                                                              • Part of subcall function 010359B7: #858.MFC42U(00000000,00000002,00000001,00000000,?,-00000001,00000002,?,?,?,?,01036218,?,/subdirectories=,00000004,?), ref: 01035A1F
                                                                                                                                                                                                                              • Part of subcall function 010359B7: #800.MFC42U(00000000,00000002,00000001,00000000,?,-00000001,00000002,?,?,?,?,01036218,?,/subdirectories=,00000004,?), ref: 01035A2B
                                                                                                                                                                                                                              • Part of subcall function 010359B7: #2910.MFC42U(00000000,00000000,00000002,00000001,00000000,?,-00000001,00000002,?,?,?,?,01036218,?,/subdirectories=,00000004), ref: 01035A35
                                                                                                                                                                                                                              • Part of subcall function 010359B7: wcslen.MSVCRT ref: 01035A3B
                                                                                                                                                                                                                            • #858.MFC42U(0000001F,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004,010014DC,010014DC,00000000,?,00000002), ref: 01036971
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004,010014DC,010014DC,00000000,?), ref: 01036986
                                                                                                                                                                                                                            • #858.MFC42U(00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004,010014DC), ref: 0103699C
                                                                                                                                                                                                                            • #858.MFC42U(00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004), ref: 010369A5
                                                                                                                                                                                                                            • #800.MFC42U(00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004), ref: 010369B1
                                                                                                                                                                                                                            • #2910.MFC42U(00000000), ref: 01036A1A
                                                                                                                                                                                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000), ref: 01036A26
                                                                                                                                                                                                                            • GetLastError.KERNEL32(OpenSCManager :), ref: 01036A37
                                                                                                                                                                                                                            • #2910.MFC42U(00000000), ref: 01036A62
                                                                                                                                                                                                                            • #823.MFC42U(000001FC), ref: 01036AA6
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,?), ref: 01036AC3
                                                                                                                                                                                                                              • Part of subcall function 010359B7: __EH_prolog.LIBCMT ref: 010359BC
                                                                                                                                                                                                                              • Part of subcall function 010359B7: #2755.MFC42U(?,?,?,?,01036218,?,/subdirectories=,00000004,?,0000001F,0000003D,00000000,00000000,+subdirectories,00000004,00000000), ref: 010359CA
                                                                                                                                                                                                                            • wcscmp.MSVCRT ref: 01036AEC
                                                                                                                                                                                                                            • #2910.MFC42U(00000000), ref: 01036AFC
                                                                                                                                                                                                                            • #2910.MFC42U(00000000), ref: 01036B39
                                                                                                                                                                                                                            • #2910.MFC42U(00000000), ref: 01036B58
                                                                                                                                                                                                                            • #823.MFC42U(0000044C,00000000), ref: 01036BA5
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000), ref: 01036BBA
                                                                                                                                                                                                                            • #823.MFC42U(000001FC,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036BE2
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000001,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000), ref: 01036BFC
                                                                                                                                                                                                                            • #823.MFC42U(000001FC,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036C19
                                                                                                                                                                                                                            • #823.MFC42U(00001340,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036C3C
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036C50
                                                                                                                                                                                                                            • #823.MFC42U(000001F8,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036C78
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036C8C
                                                                                                                                                                                                                            • #823.MFC42U(00000220,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036CB4
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000), ref: 01036CCA
                                                                                                                                                                                                                            • #823.MFC42U(000001F8,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036CF2
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036D06
                                                                                                                                                                                                                              • Part of subcall function 010359B7: #538.MFC42U(?,?,01036218,?,/subdirectories=,00000004,?,0000001F,0000003D,00000000,00000000,+subdirectories,00000004,00000000,00000000,/subdirectories), ref: 01035A53
                                                                                                                                                                                                                              • Part of subcall function 010359B7: #535.MFC42U(?,?,?,01036218,?,/subdirectories=,00000004,?,0000001F,0000003D,00000000,00000000,+subdirectories,00000004,00000000,00000000), ref: 01035A65
                                                                                                                                                                                                                              • Part of subcall function 010359B7: wcsncmp.MSVCRT ref: 01035A71
                                                                                                                                                                                                                              • Part of subcall function 010359B7: #800.MFC42U(00000000,?,00000002), ref: 01035A87
                                                                                                                                                                                                                              • Part of subcall function 010359B7: #800.MFC42U(00000000,?,00000002), ref: 01035A93
                                                                                                                                                                                                                            • #823.MFC42U(000001F0,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036D40
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036D54
                                                                                                                                                                                                                            • #823.MFC42U(000001FC,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036D7C
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036D90
                                                                                                                                                                                                                            • #823.MFC42U(000001FC,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036DB9
                                                                                                                                                                                                                            • #540.MFC42U(00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories,00000004), ref: 01036DD6
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000,/subdirectories), ref: 01036DEC
                                                                                                                                                                                                                            • #538.MFC42U(00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000), ref: 01036DF5
                                                                                                                                                                                                                            • #540.MFC42U(00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000,01003608,00000002,00000000,00000002,00000000,00000000), ref: 01036E01
                                                                                                                                                                                                                            • GetLastError.KERNEL32(Parsing registry key error :,?,?,0000001F,00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,?), ref: 01036E31
                                                                                                                                                                                                                            • #2910.MFC42U(00000000), ref: 01036E5C
                                                                                                                                                                                                                            • #800.MFC42U ref: 01036EA6
                                                                                                                                                                                                                            • #800.MFC42U ref: 01036EB2
                                                                                                                                                                                                                            • #800.MFC42U ref: 01036EBE
                                                                                                                                                                                                                            • #823.MFC42U(00000200,?,?,0000001F,00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,?), ref: 01036ECD
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000000,?,?,0000001F,00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 01036EE4
                                                                                                                                                                                                                            • #2910.MFC42U(00000000,00000000,00000000,00000000,00000000,?,?,0000001F,00000001,00000000,?,00000000,00000000,00000000,00000000,?), ref: 01036EEE
                                                                                                                                                                                                                            • #800.MFC42U(?,?,0000001F,00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000), ref: 01036F14
                                                                                                                                                                                                                            • #800.MFC42U(?,?,0000001F,00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000), ref: 01036F20
                                                                                                                                                                                                                            • #800.MFC42U(?,?,0000001F,00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000), ref: 01036F2C
                                                                                                                                                                                                                            • #800.MFC42U(?,?,0000001F,00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000), ref: 01036F38
                                                                                                                                                                                                                            • #800.MFC42U(?,?,0000001F,00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000), ref: 01036F44
                                                                                                                                                                                                                            • #800.MFC42U(?,?,0000001F,00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000), ref: 01036F4F
                                                                                                                                                                                                                            • #800.MFC42U(?,?,0000001F,00000001,00000000,?,00000000,00000000,00000000,00000000,?,00000000,00000000,00000002,?,00000000), ref: 01036F5B
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, Offset: 01000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034055198.0000000001000000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001046000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001053000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034439417.0000000001054000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_43_2_1000000_subinacl.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: #2910$#800$#823$#858$#538#540$#4197$#4124#4272#861ErrorH_prologLastwcscmpwcslenwcsncmp$#2755#4273#535ManagerOpen
                                                                                                                                                                                                                            • String ID: - $ - DfsPath is not supported$ is invalid. You should use filesonly or directoriesonly $ will not be processed. Dfs path is not supported$+clustershare$+driver$+file$+file=$+kernelobject$+keyreg$+metabase$+onlyfile$+printer$+process$+regkey$+reparsepoint$+samobject$+service$+share$+subdirectories$+subdirectories=$+subkeyreg$--- DEBUG ObjCreateInstance - Default Sam Server will be = $--- DEBUG ObjCreateInstance - Error FileFullPathName = $/clustershare$/driver$/file$/file=$/kernelobject$/keyreg$/metabase$/onlyfile$/playfile$/printer$/process$/regkey$/reparsepoint$/samobject$/service$/share$/subdirectories$/subdirectories=$/subkeyreg$Could not open Sam Server :$Error $OpenSCManager :$Parsing registry key error :$Remote access is not allowed for kernelobject or process$Unknown message $directoriesonly$filesonly
                                                                                                                                                                                                                            • API String ID: 4197239884-3296023821
                                                                                                                                                                                                                            • Opcode ID: f0bff6946ef0643fc75edc2c9055052a5970c531ad02b3f03adce31fb385bf0f
                                                                                                                                                                                                                            • Instruction ID: 3690535e73fda2d2dba8554175998f4b662ee8306b69ff9f6bc4b35ffdbe1ee6
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f0bff6946ef0643fc75edc2c9055052a5970c531ad02b3f03adce31fb385bf0f
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F82C274600206BBDF15BBB9CC94BEFBBADAFA4704F400559F582E7281DB798A408761
                                                                                                                                                                                                                            Function 01033E45 Relevance: 38.8, APIs: 18, Strings: 4, Instructions: 327COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1220 1033e45-1033e82 call 103e368 SetConsoleCtrlHandler CoInitialize GetCommandLineW CommandLineToArgvW 1223 1033e84-1033e87 1220->1223 1224 1033e8c-1033ea0 #823 1220->1224 1227 1034248-1034255 1223->1227 1225 1033ea2-1033ebf call 103e555 1224->1225 1226 1033ec1 1224->1226 1229 1033ec3-1033ee1 1225->1229 1226->1229 1231 1033ee3-1033ee6 1229->1231 1232 1033ef7 1229->1232 1233 1033ee8-1033eea call 1034557 1231->1233 1234 1033f37-1033f41 call 1035efd 1232->1234 1235 1033ef9-1033f0a call 10358c5 1232->1235 1240 1033eef-1033ef2 1233->1240 1242 1033f43-1033f5d call 103330b 1234->1242 1243 1033f75-1033f79 1234->1243 1245 1033f1f-1033f26 1235->1245 1246 1033f0c-1033f1d call 10358c5 1235->1246 1244 1034247 1240->1244 1242->1240 1258 1033f5f-1033f61 1242->1258 1250 1033f87-1033f93 call 101cd59 1243->1250 1251 1033f7b-1033f81 1243->1251 1244->1227 1247 1033f32-1033f33 1245->1247 1248 1033f28-1033f30 1245->1248 1246->1234 1246->1245 1254 1033f34-1033f35 1247->1254 1248->1254 1259 1033f95-1033fa7 call 101cd59 1250->1259 1260 1033faf-1033fbb call 101cd59 1250->1260 1251->1231 1251->1250 1254->1233 1261 1033f73 1258->1261 1262 1033f63-1033f71 1258->1262 1259->1260 1267 1033fa9 1259->1267 1268 1033fc7-1033fd9 #540 1260->1268 1269 1033fbd 1260->1269 1261->1243 1262->1242 1262->1261 1267->1260 1270 1033fe6-1033ff6 #540 1268->1270 1271 1033fdb-1033fe1 #861 1268->1271 1269->1268 1272 1034003-103401b #2910 call 10358c5 1270->1272 1273 1033ff8-1033ffe #861 1270->1273 1271->1270 1276 1034021-103404e call 101cb5c #2910 call 101ccd2 call 101cd59 1272->1276 1277 10340c6-10340eb call 1032f84 call 101d5f3 1272->1277 1273->1272 1294 1034050-103408f #2910 call 101d34c 1276->1294 1295 1034094-10340a9 call 103bc86 1276->1295 1287 1034171-1034177 1277->1287 1288 10340f1-1034109 #2910 1277->1288 1290 1034179 1287->1290 1291 10341df-10341f9 call 103bc86 1287->1291 1292 103412b-103416c #2910 * 2 1288->1292 1293 103410b-1034126 1288->1293 1297 1034180-1034189 1290->1297 1303 1034205-103420f call 1033155 1291->1303 1304 10341fb-1034200 call 103cda7 1291->1304 1292->1287 1293->1292 1327 103422d-1034245 #800 * 2 1294->1327 1313 10340b5-10340c1 call 101d34c 1295->1313 1314 10340ab-10340b0 call 103cda7 1295->1314 1297->1291 1298 103418b-1034192 1297->1298 1305 1034194-1034197 1298->1305 1306 10341be 1298->1306 1317 1034214 1303->1317 1304->1303 1305->1306 1310 1034199-10341bc 1305->1310 1315 10341bf-10341dd 1306->1315 1310->1315 1322 1034216-103421c 1313->1322 1314->1313 1315->1291 1315->1297 1317->1322 1326 103421e-1034228 call 102f5d2 1322->1326 1322->1327 1326->1327 1327->1244
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 01033E4A
                                                                                                                                                                                                                            • SetConsoleCtrlHandler.KERNEL32(01032603,00000001), ref: 01033E5E
                                                                                                                                                                                                                            • CoInitialize.OLE32(00000000), ref: 01033E67
                                                                                                                                                                                                                            • GetCommandLineW.KERNEL32(?), ref: 01033E71
                                                                                                                                                                                                                            • CommandLineToArgvW.SHELL32(00000000), ref: 01033E78
                                                                                                                                                                                                                            • #823.MFC42U(000000A4), ref: 01033E92
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, Offset: 01000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034055198.0000000001000000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001046000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001053000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034439417.0000000001054000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_43_2_1000000_subinacl.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: CommandLine$#823ArgvConsoleCtrlH_prologHandlerInitialize
                                                                                                                                                                                                                            • String ID: --- DEBUG Option = $/help$/playfile$Can't open playfile file
                                                                                                                                                                                                                            • API String ID: 780783075-2399648983
                                                                                                                                                                                                                            • Opcode ID: 9d8fb24dd25c3e7f5de69b308beb37e1556edb647800677095af126dd49a5cf6
                                                                                                                                                                                                                            • Instruction ID: 9163a72d6d4645e1231c6f6c94704be91423c6ec0ea9a91bcba559d490b20847
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9d8fb24dd25c3e7f5de69b308beb37e1556edb647800677095af126dd49a5cf6
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DFC1C674600206EFDB25EFA4C9C5BEEBBB8FF94340F404169E582EB190DB749941CBA1
                                                                                                                                                                                                                            Function 0103004F Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 166COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1379 103004f-1030070 call 103e368 1382 1030162-103017c call 102e601 call 102f894 1379->1382 1383 1030076-1030092 #535 1379->1383 1395 103018f-1030196 call 102e7ac 1382->1395 1396 103017e-1030183 1382->1396 1385 10300b7-10300e2 #4197 call 102cdbf call 101d5f3 1383->1385 1386 1030094-10300b2 1383->1386 1398 1030120-1030127 1385->1398 1399 10300e4-10300f6 call 102e697 1385->1399 1386->1385 1404 103019b-10301a0 1395->1404 1400 1030214 1396->1400 1401 1030189-103018a 1396->1401 1406 103014a-103015d #800 * 2 1398->1406 1407 1030129-1030134 SetLastError 1398->1407 1413 103011b-103011e 1399->1413 1414 10300f8-1030116 1399->1414 1405 1030217-1030238 #800 call 103dee7 1400->1405 1401->1400 1410 10301a2-10301a9 1404->1410 1411 10301ab-10301bb call 101d5f3 1404->1411 1406->1382 1408 1030136-1030145 #800 1407->1408 1408->1405 1415 1030204-1030211 #535 call 102f553 1410->1415 1420 10301f6-1030203 1411->1420 1421 10301bd-10301ce call 102e7ac 1411->1421 1413->1408 1414->1413 1415->1400 1420->1415 1421->1420 1427 10301d0-10301f4 #535 call 102f553 call 102edd7 1421->1427 1427->1401
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 01030054
                                                                                                                                                                                                                            • #535.MFC42U(0000003E,00000001,00000002,00000001), ref: 0103007D
                                                                                                                                                                                                                            • #4197.MFC42U(0000003E,00000001,00000002,00000001), ref: 010300BA
                                                                                                                                                                                                                            • SetLastError.KERNEL32(00000539,?,010014DC,?,?,0000003E,00000001,00000002,00000001), ref: 0103012E
                                                                                                                                                                                                                              • Part of subcall function 0101D5F3: wcscmp.MSVCRT ref: 0101D5FD
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: __EH_prolog.LIBCMT ref: 0102E7B1
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: #540.MFC42U(00000002,?,?), ref: 0102E809
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: #2755.MFC42U(0000005C,00000002,?,?), ref: 0102E817
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: #858.MFC42U(?,0000005C,00000002,?,?), ref: 0102E82C
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: #2910.MFC42U(00000000,?,00000032,00000000,00000400,?,?,0000005C,00000002,?,?), ref: 0102E851
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: #2910.MFC42U(00000000,00000000,00000000,?,00000032,00000000,00000400,?,?,0000005C,00000002,?,?), ref: 0102E85E
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: LookupAccountNameW.ADVAPI32(00000000,00000000,00000000,00000000,?,00000032,00000000), ref: 0102E864
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: #861.MFC42U(00000000,?,?), ref: 0102E877
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: #942.MFC42U(01001514,00000000,?,?), ref: 0102E883
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: #940.MFC42U(?,01001514,00000000,?,?), ref: 0102E891
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: #4197.MFC42U(?,01001514,00000000,?,?), ref: 0102E898
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: #4197.MFC42U(?,01001514,00000000,?,?), ref: 0102E89F
                                                                                                                                                                                                                              • Part of subcall function 0102E7AC: #800.MFC42U(?,?), ref: 0102E8B1
                                                                                                                                                                                                                            • #800.MFC42U(?,?,010014DC,?,?,0000003E,00000001,00000002,00000001), ref: 0103013D
                                                                                                                                                                                                                            • #800.MFC42U(?,010014DC,?,?,0000003E,00000001,00000002,00000001), ref: 01030151
                                                                                                                                                                                                                            • #800.MFC42U(?,010014DC,?,?,0000003E,00000001,00000002,00000001), ref: 0103015D
                                                                                                                                                                                                                            • #535.MFC42U(?,?,?,?,?,010014DC,00000002,?,00000002,00000002,00000001,00000002,00000001), ref: 010301D7
                                                                                                                                                                                                                              • Part of subcall function 0102F553: __EH_prolog.LIBCMT ref: 0102F558
                                                                                                                                                                                                                              • Part of subcall function 0102F553: #800.MFC42U(?,?,?,?,0102FE92,?,?,?,?,010014DC,?,?,?,010014DC,00000001,00000002), ref: 0102F5B9
                                                                                                                                                                                                                              • Part of subcall function 0102EDD7: #858.MFC42U(010014A0,010014DC,?,01001510,0102FA4B,?,?,?,?,?,010014DC,?,?,010014DC,010014DC,?), ref: 0102EDED
                                                                                                                                                                                                                            • #535.MFC42U(?,?,?,010014DC,00000002,?,00000002,00000002,00000001,00000002,00000001), ref: 01030204
                                                                                                                                                                                                                            • #800.MFC42U(00000002,?,?,?,010014DC,00000002,?,00000002,00000002,00000001,00000002,00000001), ref: 0103021B
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            • --- DEBUG SidFactory::LookupAccount Found = , xrefs: 01030100
                                                                                                                                                                                                                            • --- DEBUG SidFactory::LookupAccount using OffLine sam = , xrefs: 0103009C
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, Offset: 01000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034055198.0000000001000000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001046000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001053000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034439417.0000000001054000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_43_2_1000000_subinacl.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: #800$#4197#535H_prolog$#2910#858$#2755#540#861#940#942AccountErrorLastLookupNamewcscmp
                                                                                                                                                                                                                            • String ID: --- DEBUG SidFactory::LookupAccount Found = $--- DEBUG SidFactory::LookupAccount using OffLine sam =
                                                                                                                                                                                                                            • API String ID: 1683914480-1924730002
                                                                                                                                                                                                                            • Opcode ID: c20567f65207412d0b3d041c232d47fef1ec68655a5ef6fb4bf38793f5dc2c55
                                                                                                                                                                                                                            • Instruction ID: 5cc80e20ccd1446014a266db7848a00264bdcc3f3a349ab5d7f9e086484581f9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c20567f65207412d0b3d041c232d47fef1ec68655a5ef6fb4bf38793f5dc2c55
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B751B671A00219DFDB55EFE8C984AEEB7BDBF98300F004159F58697288DB749A05CB61
                                                                                                                                                                                                                            Function 0101CB5C Relevance: 10.6, APIs: 7, Instructions: 55COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1490 101cb5c-101cbe3 call 103e368 #538 #823 * 2 GetStdHandle * 2 GetConsoleScreenBufferInfo 1493 101cbe5-101cbe9 1490->1493 1494 101cbed-101cbfd 1490->1494 1493->1494
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 0101CB61
                                                                                                                                                                                                                            • #538.MFC42U(010014DC,00000001,?,00000001,00000000,/playfile,00000004,00000000), ref: 0101CB7F
                                                                                                                                                                                                                            • #823.MFC42U(0001E002,010014DC,00000001,?,00000001,00000000,/playfile,00000004,00000000), ref: 0101CBA3
                                                                                                                                                                                                                            • #823.MFC42U(0001E002,0001E002,010014DC,00000001,?,00000001,00000000,/playfile,00000004,00000000), ref: 0101CBAC
                                                                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F5,010014DC,00000001,?,00000001,00000000,/playfile,00000004,00000000), ref: 0101CBCA
                                                                                                                                                                                                                            • GetStdHandle.KERNEL32(000000F5,?,?,00000001,00000000,/playfile,00000004,00000000), ref: 0101CBD8
                                                                                                                                                                                                                            • GetConsoleScreenBufferInfo.KERNELBASE(00000000,?,00000001,00000000,/playfile,00000004,00000000), ref: 0101CBDB
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, Offset: 01000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034055198.0000000001000000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001046000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001053000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034439417.0000000001054000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_43_2_1000000_subinacl.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: #823Handle$#538BufferConsoleH_prologInfoScreen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3315392054-0
                                                                                                                                                                                                                            • Opcode ID: c9f1c13a9e614124e8163afa4dd005fa585c430a68498c2825fd6ce5d6ebffbe
                                                                                                                                                                                                                            • Instruction ID: 690b3aa76e8d65da0aad0ca7bd8c2fc9f124f79f5938b890db24b6cb901c7c1b
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c9f1c13a9e614124e8163afa4dd005fa585c430a68498c2825fd6ce5d6ebffbe
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F011FB71900705DFD720AF6AD884A8AFBF8FF99710B104B2EE096D7650D774E944CB54
                                                                                                                                                                                                                            Function 0103CF3F Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 158COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1495 103cf3f-103cf55 1496 103d0eb-103d0f5 call 103dee7 1495->1496 1497 103cf5b-103cf86 call 1035405 swprintf 1495->1497 1502 103cf89-103cfa2 1497->1502 1502->1502 1503 103cfa4-103cfb9 swprintf 1502->1503 1504 103cfbc-103cfd5 1503->1504 1504->1504 1505 103cfd7-103cfde 1504->1505 1506 103cfe0-103cfe9 1505->1506 1507 103d00e-103d02c call 1035405 swprintf 1505->1507 1509 103cfeb-103cffb 1506->1509 1510 103cffd-103d000 1506->1510 1513 103d02f-103d046 1507->1513 1511 103d006-103d00c 1509->1511 1510->1511 1511->1506 1511->1507 1513->1513 1514 103d048-103d04f 1513->1514 1515 103d051-103d059 1514->1515 1516 103d07e-103d08f swprintf 1514->1516 1517 103d05b-103d06b 1515->1517 1518 103d06d-103d070 1515->1518 1519 103d092-103d0a7 1516->1519 1520 103d076-103d07c 1517->1520 1518->1520 1519->1519 1521 103d0a9-103d0b0 1519->1521 1520->1515 1520->1516 1522 103d0e2-103d0e4 call 103cd59 1521->1522 1523 103d0b2-103d0b8 1521->1523 1528 103d0e9-103d0ea 1522->1528 1525 103d0ba-103d0ca 1523->1525 1526 103d0cc-103d0d4 1523->1526 1527 103d0da-103d0e0 1525->1527 1526->1527 1527->1522 1527->1523 1528->1496
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                              • Part of subcall function 01035405: __EH_prolog.LIBCMT ref: 0103540A
                                                                                                                                                                                                                              • Part of subcall function 01035405: #535.MFC42U(?,00000000), ref: 01035458
                                                                                                                                                                                                                              • Part of subcall function 01035405: #4197.MFC42U(?,00000000), ref: 01035463
                                                                                                                                                                                                                              • Part of subcall function 01035405: #535.MFC42U(?,01001510,?,?,00000000), ref: 0103548E
                                                                                                                                                                                                                              • Part of subcall function 01035405: #535.MFC42U(?,?,01001510,?,?,00000000), ref: 0103549E
                                                                                                                                                                                                                              • Part of subcall function 01035405: #538.MFC42U(010014DC,?,?,01001510,?,?,00000000), ref: 010354AF
                                                                                                                                                                                                                              • Part of subcall function 01035405: #2910.MFC42U(00000000,010014DC,?,?,01001510,?,?,00000000), ref: 010355C4
                                                                                                                                                                                                                              • Part of subcall function 01035405: #2756.MFC42U(00000000,00000000,010014DC,?,?,01001510,?,?,00000000), ref: 010355CD
                                                                                                                                                                                                                              • Part of subcall function 01035405: #922.MFC42U(?,?,?,00000000,00000000,00000000,?,00000002,00000000,?,00000002,00000004,00000000,?,00000000,00000000), ref: 010355E9
                                                                                                                                                                                                                              • Part of subcall function 01035405: #858.MFC42U(00000000,?,?,?,00000000,00000000,00000000,?,00000002,00000000,?,00000002,00000004,00000000,?,00000000), ref: 010355F6
                                                                                                                                                                                                                              • Part of subcall function 01035405: #800.MFC42U(00000000,?,?,?,00000000,00000000,00000000,?,00000002,00000000,?,00000002,00000004,00000000,?,00000000), ref: 01035602
                                                                                                                                                                                                                              • Part of subcall function 01035405: #800.MFC42U(00000000,?,?,?,00000000,00000000,00000000,?,00000002,00000000,?,00000002,00000004,00000000,?,00000000), ref: 0103560E
                                                                                                                                                                                                                              • Part of subcall function 01035405: #800.MFC42U(00000000,?,?,?,00000000,00000000,00000000,?,00000002,00000000,?,00000002,00000004,00000000,?,00000000), ref: 0103561A
                                                                                                                                                                                                                              • Part of subcall function 01035405: #800.MFC42U(00000000,?,?,?,00000000,00000000,00000000,?,00000002,00000000,?,00000002,00000004,00000000,?,00000000), ref: 01035625
                                                                                                                                                                                                                              • Part of subcall function 01035405: #800.MFC42U(?,00000000), ref: 01035648
                                                                                                                                                                                                                            • swprintf.MSVCRT(?,%8d,00000002,?,00000001,01001510,00000000,?,00000000,/playfile,00000004,00000000), ref: 0103CF7B
                                                                                                                                                                                                                            • swprintf.MSVCRT(?,%8d,?), ref: 0103CFAC
                                                                                                                                                                                                                            • swprintf.MSVCRT(?,%8d,000000FF,?,00000001), ref: 0103D021
                                                                                                                                                                                                                            • swprintf.MSVCRT(?,%8d), ref: 0103D085
                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, Offset: 01000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034055198.0000000001000000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001046000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001053000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034439417.0000000001054000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_43_2_1000000_subinacl.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: #800$swprintf$#535$#2756#2910#4197#538#858#922H_prolog
                                                                                                                                                                                                                            • String ID: %8d
                                                                                                                                                                                                                            • API String ID: 4283975728-2626110627
                                                                                                                                                                                                                            • Opcode ID: 128db9bd5d15eaac44a9a5cb671c008e557a6c5b04910238f8e008624092e989
                                                                                                                                                                                                                            • Instruction ID: 760780b26fe0834c53726d2ea634f5ccb665801387a4f111df69a5e6622de4a1
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 128db9bd5d15eaac44a9a5cb671c008e557a6c5b04910238f8e008624092e989
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50518D706007068BCB24DF58C590AAEB7F9FF88704B40496DD692DB751EB36E946CB80
                                                                                                                                                                                                                            Function 0101D34C Relevance: 6.0, APIs: 4, Instructions: 29COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1529 101d34c-101d371 call 103e368 call 101d247 1534 101d373-101d379 #825 1529->1534 1535 101d37a-101d37f 1529->1535 1534->1535 1536 101d381-101d387 #825 1535->1536 1537 101d388-101d3a0 #800 1535->1537 1536->1537
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 0101D351
                                                                                                                                                                                                                              • Part of subcall function 0101D247: fclose.MSVCRT ref: 0101D25A
                                                                                                                                                                                                                              • Part of subcall function 0101D247: #861.MFC42U(010014DC,00000001,?,0101D36C,00000000,?,0103BC6E,?,?,?,00000004,?,?,0101B0F8,action|?> ,0101B134), ref: 0101D274
                                                                                                                                                                                                                            • #825.MFC42U(?,00000000,?,0103BC6E,?,?,?,00000004,?,?,0101B0F8,action|?> ,0101B134,00000000,00000000,00000000), ref: 0101D374
                                                                                                                                                                                                                            • #825.MFC42U(?,00000000,?,0103BC6E,?,?,?,00000004,?,?,0101B0F8,action|?> ,0101B134,00000000,00000000,00000000), ref: 0101D382
                                                                                                                                                                                                                            • #800.MFC42U(00000000,?,0103BC6E,?,?,?,00000004,?,?,0101B0F8,action|?> ,0101B134,00000000,00000000,00000000,01001510), ref: 0101D38F
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, Offset: 01000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034055198.0000000001000000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001046000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001053000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034439417.0000000001054000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_43_2_1000000_subinacl.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: #825$#800#861H_prologfclose
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1175585050-0
                                                                                                                                                                                                                            • Opcode ID: 4ce1ce899b83fd9f82b328f85860a2885963f02821b3994f9ea8b6c3ed0530ef
                                                                                                                                                                                                                            • Instruction ID: 8eb7ba2a2adc6b13d1b7149111194d1a519a5436f74bfa490837f1c3314165f9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4ce1ce899b83fd9f82b328f85860a2885963f02821b3994f9ea8b6c3ed0530ef
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E9F058719117129BDB28EFB8D4047DAB3E8AB68321F008B5EE0E293580CB74D9008710
                                                                                                                                                                                                                            Function 0101E01D Relevance: 4.5, APIs: 3, Instructions: 25COMMON
                                                                                                                                                                                                                            Download Yara Rule

                                                                                                                                                                                                                            Control-flow Graph

                                                                                                                                                                                                                            • Executed
                                                                                                                                                                                                                            • Not Executed
                                                                                                                                                                                                                            control_flow_graph 1556 101e01d-101e04a call 103e368 1559 101e053-101e06e #800 call 1023934 1556->1559 1560 101e04c-101e04d CloseHandle 1556->1560 1562 101e073-101e07f 1559->1562 1560->1559
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • __EH_prolog.LIBCMT ref: 0101E022
                                                                                                                                                                                                                            • CloseHandle.KERNELBASE(?,?,?,01034F20,01001510,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?), ref: 0101E04D
                                                                                                                                                                                                                            • #800.MFC42U(?,?,01034F20,01001510,00000000,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0101E063
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, Offset: 01000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034055198.0000000001000000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001046000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001053000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034439417.0000000001054000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_43_2_1000000_subinacl.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: #800CloseH_prologHandle
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 3138414786-0
                                                                                                                                                                                                                            • Opcode ID: fac1d103e742ff40a65a6e0a4812efe650d29c4497a7e4b5fb176ba42ada2fe0
                                                                                                                                                                                                                            • Instruction ID: a86aa596d2ecaa0046357f96590b51328c1b5bfe60d2572573728a51294e2e2a
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fac1d103e742ff40a65a6e0a4812efe650d29c4497a7e4b5fb176ba42ada2fe0
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8DF0FE705107969BDB2AEF64C4047EDB7E8BF49315F00464DE4E6A7284CB749A44CB50
                                                                                                                                                                                                                            Function 0103CD59 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • WriteConsoleOutputW.KERNELBASE(?,?,?,0103D0E9,?,?,?,?,0103D0E9), ref: 0103CD9A
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, Offset: 01000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034055198.0000000001000000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001046000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001053000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034439417.0000000001054000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_43_2_1000000_subinacl.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ConsoleOutputWrite
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1925201070-0
                                                                                                                                                                                                                            • Opcode ID: 35e4cbd013c08e8daf754a23d3175324fb9a1873c4b053f35149b397b909c0fd
                                                                                                                                                                                                                            • Instruction ID: 245d94acecfb5f2fd43c767d85bc6a22b4aec77f8407c264c4d815bfde70957f
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 35e4cbd013c08e8daf754a23d3175324fb9a1873c4b053f35149b397b909c0fd
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2EF0AC2881020DFACF01DBE4D5054ADBBB5FF58304F109198D41467221E3768616DB5A
                                                                                                                                                                                                                            Function 01023900 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • #825.MFC42U(?,00000000,?,01001510,01023943,?,0101E365,?,?,01034EE4,01001510,00000000,?,00000000,?,?), ref: 01023916
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, Offset: 01000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034055198.0000000001000000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001046000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001053000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034439417.0000000001054000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_43_2_1000000_subinacl.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: #825
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 41483190-0
                                                                                                                                                                                                                            • Opcode ID: 8695959943596611f5a34923991a1fca96a519ef5066326c352ec3af40d77b93
                                                                                                                                                                                                                            • Instruction ID: d512104d8d4c3719dd779b02f2dded6857a04432ac85704d627c30cd0ec5b01e
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8695959943596611f5a34923991a1fca96a519ef5066326c352ec3af40d77b93
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3D0A5777016215ED6345AF8D8C05D7A3F9D7CA321714053FE5C797010C95568C6D390
                                                                                                                                                                                                                            Function 0103CC63 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                            • SetConsoleActiveScreenBuffer.KERNELBASE(?,0103BA91,00000001,00000001), ref: 0103CC6B
                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                            • Source File: 0000002B.00000002.3034144142.0000000001001000.00000020.00000001.01000000.00000032.sdmp, Offset: 01000000, based on PE: true
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034055198.0000000001000000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001046000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034300778.0000000001053000.00000004.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            • Associated: 0000002B.00000002.3034439417.0000000001054000.00000002.00000001.01000000.00000032.sdmpDownload File
                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                            • Snapshot File: hcaresult_43_2_1000000_subinacl.jbxd
                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                            • API ID: ActiveBufferConsoleScreen
                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                            • API String ID: 1715499361-0
                                                                                                                                                                                                                            • Opcode ID: 605ca0f679ebc9d36e76afcb886cc5294a52e30d76024136ea46c9071c920119
                                                                                                                                                                                                                            • Instruction ID: 6884c20ae6a3b49ebb770c1c5414c03f428639912fe029315b37fb226a2129e9
                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 605ca0f679ebc9d36e76afcb886cc5294a52e30d76024136ea46c9071c920119
                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66B012306001004BEF54CF36964CA01779CAA403013100484E440D1000C636C002CA10